Brief
I am developing a custom built Pluggable Authentication Module (PAM) - which provides login to the user through some custom validations I have put in place (which are without password). I also have implemented a custom Authorization Plugin that replaces the default loginwindow to accept factor other than password from the user for their authentication.
Now when I am using this custom PAM in conjunction with the custom Authorization Plugin - the user is able to get the login. However, I am facing issues with keychain unlock.
Issue
This flow always creates a new keychain instead of unlocking it, or at least asking for keychain password to unlock it when the user gets login.
- Is there an acceptable way of doing this where I am able to negotiate with the keychain to unlock it from within my custom PAM?
- Is there something wrong that I am doing which is causing this to break or is this a known side-effect of using non-password based PAMs?
Technical Details
- created a custom Authorization Plugin which accepts factor other than password for user login
- updated the authorizationdb entry to replace the default loginwindow:login mechanism with my custom Authorization Plugin mechanism.
- created a custom PAM that uses the above credential (non-password), validates it and provides login to the user
- the custom PAM is added to the authorization file in the /etc/pam.d folder as follows:
# authorization: auth account
auth sufficient <full path to custom_pam.so>
auth optional pam_krb5.so use_first_pass use_kcminit
auth optional pam_ntlm.so use_first_pass
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so