I created a custom PAM module following this and It works fine with etc/pam.d/sudo but doesn't work with etc/pam.d/authorization and etc/pam.d/login.
sudo
# sudo: auth account password session
auth include sudo_local
auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
authorization
# authorization: auth account
auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so
auth optional pam_krb5.so use_first_pass use_kcminit no_auth_ccache
auth optional pam_ntlm.so use_first_pass
auth sufficient pam_smartcard.so use_first_pass
account required pam_opendirectory.so
-
Is it even allowed to add a custom PAM to
\etc\pam.d\loginoretc\pam.d\authorization? -
Is it possible to create a mechanism with custom logic and replace it with
<string>builtin:authenticate,privileged</string>insystem.login.consoleauthorization right ?
Note: I have also tried moving the .so file to /usr/lib/pam but it failed even after disabling SIP.