Thanks for your reply.
-
Yes authorization right is system.login.console.
-
Yes. The Custom Auth Plugin is using SFAuthorizationPluginView. Also custom auth plugin is loading fine on logout. I referred this sample app (https://github.com/skycocker/NameAndPassword).
Today the auth plugin only supports password which is set with tag kAuthorizationEnvironmentPassword.
I want to add support for smart card with my custom auth plugin and provide option to enter PIN.
As per my understanding, When a smart card is connected OS(apple native login window) automatically detects it and triggers authorization_ctk.
I couldn’t find any API to trigger authorization_ctk from custom auth plugin and allow user to pass PIN with tag kAuthorizationEnvironmentPassword
.
I updated /etc/pam.d/login with auth sufficient pam_smartcard.so
to provide support for smart card with my custom auth plugin.
Is there any way to trigger authorization_ctk from a custom auth plugin ?
I was hoping that this approach would allow me to pass smart card PIN with tag kAuthorizationEnvironmentPassword
and user could log in. I see very mixed results with this approach as it worked intermittently.
Any idea why /etc/pam.d/login
not showing consistent behavior ? Is my understanding correct or am I missing anything ?
- I tried above approach by updating
/etc/pam.d/authorization
instead of etc/pam.d/login
and it did work as expected in all the test attempts. I was able to pass PIN via custom authorization plugin and login was successful. Although another behavior that I noticed was that all the native apps(ex: slack),browsers were getting logged out of the account.
Any idea what could have caused this behavior ? Could it be something with keychain ? I kept the policy as sufficient for pam_smartcard.so
so that other modules are not interrupted
# authorization: auth account
auth sufficient pam_smartcard.so use_first_pass
auth optional pam_krb5.so use_first_pass use_kcminit no_auth_ccache
auth optional pam_ntlm.so use_first_pass
account required pam_opendirectory.so
Thanks in advance.