Re: [gdm-list] pam_setcred and session unlocking

From: "Ray Strode" <halfline gmail com>
To: "William Jon McCann" <mccann jhu edu>
Cc: gdm-list gnome org
Subject: Re: [gdm-list] pam_setcred and session unlocking
Date: Tue, 6 Nov 2007 09:44:55 -0500

Hi,

> So for trunk, do we think it is better to refresh the credentials for
> the existing session in GDM or perhaps to make gnome-screensaver do it
> in response the to Unlock signal from ConsoleKit?
>
> One possible advantage to doing it in gnome-screensaver is that we
> ensure that the pam modules pick up the correct environment (for
> things like krb cache files etc).
>
> One possible advantages to doing it in GDM is that it will work for
> any type of session.
So i'm pretty sure pam_setcred has to be called after the
(re)authentication stack has been run, which means are choices are
really:

1) call pam_setcred from GDM with the rest of the pam calls (status quo)
2) run the entire stack from gnome-screensaver and proxy the entire
conversation to the gdm UI.

2 is obviously a lot more work than 1, but 1 probably won't work for
some PAM modules (modules that store credentials in per-session state,
like kernel keyring).  Maybe the answer is 1 now and 2 later, not
sure.  Note "won't work" means don't refresh credentials, not fail
entirely, so maybe not so bad.

--Ray

Follow-Ups:
- Re: [gdm-list] pam_setcred and session unlocking
  - From: William Jon McCann

References:
- [gdm-list] pam_setcred and session unlocking
  - From: William Jon McCann

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]