login service in \etc\pam.d\login not getting executed

I am trying to pass smart card PIN from a custom auth plugin with tag kAuthorizationEnvironmentPassword. I added pam_smartcard.so to login stack (\etc\pam.d\login) but the changes do not take place.

# login: auth account password session
auth        sufficient    pam_smartcard.so
auth        optional      pam_krb5.so use_kcminit
auth        optional      pam_ntlm.so try_first_pass
auth        optional      pam_mount.so try_first_pass
auth        required      pam_opendirectory.so try_first_pass
account     required      pam_nologin.so
account     required      pam_opendirectory.so
password    required      pam_opendirectory.so
session     required      pam_launchd.so
session     required      pam_uwtmp.so
session     optional      pam_mount.so

What could possible be going wrong in this ? Also is there an API to trigger authorization_ctk from a custom auth plugin to work with smart card ?

Up vote post of siddhant-mac Down vote post of siddhant-mac
216 views
Posted by
siddhant-mac
Reply
Add a Comment

Accepted Reply

I’ve researched this in the past and my conclusion was that there was no way to replace the built-in login mechanism with SFAuthorizationPluginView and support smart cards. When you log in with a smart card the built-in login mechanism puts lots of state into the authorisation context/hints, and none of of that is documented.

ps I specifically call out this limitation in the QAuthPlugins > LoginUIAuthPlugin read me.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

What authorisation right are we talking about here? system.login.console?

If so, is your auth plug-in using SFAuthorizationPluginView to replace the built-in login UI? Or are you supplementing it somehow?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for your reply.

  1. Yes authorization right is system.login.console.

  2. Yes. The Custom Auth Plugin is using SFAuthorizationPluginView. Also custom auth plugin is loading fine on logout. I referred this sample app (https://github.com/skycocker/NameAndPassword).
Today the auth plugin only supports password which is set with tag kAuthorizationEnvironmentPassword. I want to add support for smart card with my custom auth plugin and provide option to enter PIN.

As per my understanding, When a smart card is connected OS(apple native login window) automatically detects it and triggers authorization_ctk.

I couldn’t find any API to trigger authorization_ctk from custom auth plugin and allow user to pass PIN with tag kAuthorizationEnvironmentPassword.

I updated /etc/pam.d/login with auth sufficient pam_smartcard.so to provide support for smart card with my custom auth plugin.

Is there any way to trigger authorization_ctk from a custom auth plugin ?

I was hoping that this approach would allow me to pass smart card PIN with tag kAuthorizationEnvironmentPassword and user could log in. I see very mixed results with this approach as it worked intermittently.

Any idea why /etc/pam.d/login not showing consistent behavior ? Is my understanding correct or am I missing anything ?

  1. I tried above approach by updating /etc/pam.d/authorization instead of etc/pam.d/login and it did work as expected in all the test attempts. I was able to pass PIN via custom authorization plugin and login was successful. Although another behavior that I noticed was that all the native apps(ex: slack),browsers were getting logged out of the account.

Any idea what could have caused this behavior ? Could it be something with keychain ? I kept the policy as sufficient for pam_smartcard.so so that other modules are not interrupted

# authorization: auth account    
auth       sufficient     pam_smartcard.so  use_first_pass		 
auth       optional       pam_krb5.so use_first_pass use_kcminit no_auth_ccache
auth       optional       pam_ntlm.so use_first_pass
account    required       pam_opendirectory.so

Thanks in advance.

Posted by
siddhant-mac
Up vote reply of siddhant-mac Down vote reply of siddhant-mac
Add a Comment

I’ve researched this in the past and my conclusion was that there was no way to replace the built-in login mechanism with SFAuthorizationPluginView and support smart cards. When you log in with a smart card the built-in login mechanism puts lots of state into the authorisation context/hints, and none of of that is documented.

ps I specifically call out this limitation in the QAuthPlugins > LoginUIAuthPlugin read me.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

@eskimo I am facing another issue on similar lines with PAM modules. Can you please share your insights on this ?

https://developer.apple.com/forums/thread/751017

Posted by
siddhant-mac
Up vote reply of siddhant-mac Down vote reply of siddhant-mac
Add a Comment