I am trying to pass smart card PIN from a custom auth plugin with tag kAuthorizationEnvironmentPassword. I added pam_smartcard.so to login stack (\etc\pam.d\login) but the changes do not take place.
# login: auth account password session
auth sufficient pam_smartcard.so
auth optional pam_krb5.so use_kcminit
auth optional pam_ntlm.so try_first_pass
auth optional pam_mount.so try_first_pass
auth required pam_opendirectory.so try_first_pass
account required pam_nologin.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_launchd.so
session required pam_uwtmp.so
session optional pam_mount.so
What could possible be going wrong in this ? Also is there an API to trigger authorization_ctk from a custom auth plugin to work with smart card ?
I’ve researched this in the past and my conclusion was that there was no way to replace the built-in login mechanism with SFAuthorizationPluginView
and support smart cards. When you log in with a smart card the built-in login mechanism puts lots of state into the authorisation context/hints, and none of of that is documented.
ps I specifically call out this limitation in the QAuthPlugins > LoginUIAuthPlugin read me.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"