While stress-testing the module in https://lists.fedorahosted.org/pipermail/pam-developers/2012-October/0003..., I found that the current pam_xauth does not work properly when the old home-directory is hidden after the unshare (the same problem can occur with pam_namespace). The reason is that the reading of xauth-cookie needs to be done before the unshare, and the writing needs to be done after the unshare. Attached is a python mockup (to be called by pam_python from http://ace-host.stuart.id.au/russell/files/pam_python/) of a revised xauth module. The .conf file should contain something like: session optional pam_python.so /etc/pam.d/xauth.py get # The following include might make the current home-directory # unreadable (by pam_namespace or other modules doing pam_unshare) session include system-auth session optional pam_python.so /etc/pam.d/xauth.py set Regards Anders Blomdell -- Anders Blomdell Email: anders.blomdell(a)control.lth.se Department of Automatic Control Lund University Phone: +46 46 222 4625 P.O. Box 118 Fax: +46 46 138118 SE-221 00 Lund, Sweden