@@ -162,10 +162,31 @@
 ])
 
 if test "${dodcerts}" = 'no'; then
 	AC_DEFINE(CACKEY_NO_EXTRA_CERTS, [1], [Specify that DoD certificates should not be made available])
 fi
+
+dnl Option to hard-code a command to run to request a PIN (enabling protected authentication path)
+AC_ARG_WITH(pin-command, AC_HELP_STRING([--with-pin-command=<command>], [Specify a command to run to request a PIN from the user.  The user may override this with the CACKEY_PIN_COMMAND environment variable.]), [
+	pincommand="${withval}"
+], [
+	pincommand="no"
+])
+
+AC_ARG_WITH(pin-command-x, AC_HELP_STRING([--with-pin-command-x=<command>], [Same as --with-pin-command, but only sets Protected Authentication Path if the DISPLAY environment variable is set]), [
+	pincommandxonly="${withval}"
+], [
+	pincommandxonly="no"
+])
+
+if ! test "${pincommand}" = 'no'; then
+	AC_DEFINE_UNQUOTED(CACKEY_PIN_COMMAND_DEFAULT, [$pincommand], [Command to run to prompt user for PIN])
+fi
+
+if ! test "${pincommandxonly}" = 'no'; then
+	AC_DEFINE_UNQUOTED(CACKEY_PIN_COMMAND_XONLY_DEFAULT, [$pincommandxonly], [Command to run to prompt user for PIN only if DISPLAY environment variable is set])
+fi
 
 dnl Set version script, to limit the scope of symbols
 DC_SETVERSIONSCRIPT(libcackey.vers, libcackey.syms)
 
 dnl Upate LDFLAGS to include setting the run-time linker path to the same as our compile-time linker