@DTS Engineer I am trying to access system keychain from an authorization plugin as login keychain is locked on login window. Is it possible to use Keychain ACL or keychain sharing with an authorization plugin and make sure only the auth plugin has access to the keychain item ?

@eskimo I am facing another issue on similar lines with PAM modules. Can you please share your insights on this ? https://developer.apple.com/forums/thread/751017

Thanks for your reply. Yes authorization right is system.login.console. Yes. The Custom Auth Plugin is using SFAuthorizationPluginView. Also custom auth plugin is loading fine on logout. I referred this sample app (https://github.com/skycocker/NameAndPassword).
Today the auth plugin only supports password which is set with tag kAuthorizationEnvironmentPassword. I want to add support for smart card with my custom auth plugin and provide option to enter PIN. As per my understanding, When a smart card is connected OS(apple native login window) automatically detects it and triggers authorization_ctk.

I couldn’t find any API to trigger authorization_ctk from custom auth plugin and allow user to pass PIN with tag kAuthorizationEnvironmentPassword.

I updated /etc/pam.d/login with auth sufficient pam_smartcard.so to provide support for smart card with my custom auth plugin. Is there any way to trigger authorization_ctk from a custom auth plugin ? I was hoping that this approach would allow me to pass smart card PIN with tag kAuthorizationEnvironmentPassword and user could log in. I see very mixed results with this approach as it worked intermittently. Any idea why /etc/pam.d/login not showing consistent behavior ? Is my understanding correct or am I missing anything ? I tried above approach by updating /etc/pam.d/authorization instead of etc/pam.d/login and it did work as expected in all the test attempts. I was able to pass PIN via custom authorization plugin and login was successful. Although another behavior that I noticed was that all the native apps(ex: slack),browsers were getting logged out of the account. Any idea what could have caused this behavior ? Could it be something with keychain ? I kept the policy as sufficient for pam_smartcard.so so that other modules are not interrupted # authorization: auth account auth sufficient pam_smartcard.so use_first_pass auth optional pam_krb5.so use_first_pass use_kcminit no_auth_ccache auth optional pam_ntlm.so use_first_pass account required pam_opendirectory.so Thanks in advance.