Re: gscreensaver :: a bit of a mockup

[Sean Middleditch <elanthis awesomeplay com>]

On Tue, 2004-05-04 at 13:19, Davyd Madeley wrote:
> On Tue, 2004-05-04 at 13:11 -0400, Sean Middleditch wrote:
> 
> > Also, what will happen when the PAM module in use doesn't utilize
> > passwords?  Or uses multiple passwords?  Or whatever?
> 
> Obviously these are all issues that will have to be dealt with in the
> design.
> In fact, to be perfectly honest, I have no idea how xscreensaver deals
> with those things now. Ideally, I want to hook into gdm to do my authing
> (so that xscreensaver has no privledges).
> 
> How does gdm handle more non-standard auth methods?

I'm fairly sure it works using the standard PAM calls.  PAM will kick
back a challenge ("Password:") and GDM asks the user for it.  This is
why GDM doesn't have the username and password on the same screen, but
instead only shows the password entry after entering the username: PAM
doesn't send the first challenge until after its given a username. 
Altho modules do have the ability to request multiple inputs at once,
there isn't a guarantee that they will actually do so.  (Though it would
be nice if they did, as login managers and such could then more
consistently provide single dialogs for authentication.)

Basically, PAM kicks out one of four kinds of messages.  It either
prompts for text (that should be echoed back to the user using a normal
text input, like the username entry), secret text (normal password-type
stuff), normal output (a message), or error output.  The general idea is
that with these, PAM can get information from the user or provide
instructions to the user for authentication.  i.e., display a dialog
asking them to press their finger on the print scanner, then ask for
their full name, then ask for a passphrase, etc. - whatever the modules
in use want to do.

The PAM programming guides can probably explain it all a lot better than
I can.  :)

-- 
Sean Middleditch <elanthis awesomeplay com>
AwesomePlay Productions, Inc.