What do the OS X authorization mechanisms actually do?

security authentication login mac-osx pam

Solution 1:

  1. From what I recall loginwindow:login is actually used in spawning the GUI login window, similar to builtin:policy-banner. So it is logical to be spawned before the rest of the actions. So the GUI window is the one that is actually irrelevant/bypassable, not the credentials themselves.

  2. What exactly would you like to modify and towards what purpose ? For example, if you require the authorization plugin to be invoked in other situations, you can do that by editing auth.db.

Also, builtin:authenticate sub-systems should handle differencing between 802.1X and local auth.

Solution 2:

builtin:forward-login,privileged

Forwards the successful FileVault login to the OS X Login Window and bypasses the need to login there. It's kind of like single sign-on. I disable this in my environment since it wasn't using the 802.1X profile I had setup. I would try doing that.

OS X: How to disable automatic login when FileVault is enabled

sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

Related

OpenVPN low performance. Do I have MTU problems? Dumps inside
OpenLDAP, Samba and password aging
Good practice for managing package updates for lots of CentOS servers
How do I move Windows Search and Index Service databases to another drive?
How to force an ISP to remove false reverse DNS?
How do I make cron run every other Sunday on the OTHER Sunday?
How to find out where a Certificate Request came from
How do you automate failover on EC2?
not able to register sip user on red5server, using red5phone
Find duplicates in an array, without using any extra space
Use of null check in event handler
How do I hide a process in Task Manager in C#?