Re: [gdm-list] My questions

[Bob Doolittle <Robert Doolittle Sun COM>]

One final note.  One of the really nice byproducts of doing
smartcard authentication in a PAM module is that you can
not only affect gdm, but screen lockers as well.  It would
be pretty sad if we fixed up gdm to allow you to login with
a smartcard, but once your screen got locked you had to
type in a password to unlock it.  By doing this in a PAM module,
and placing that PAM module on both gdm and the screen-locker's
stack, smartcard-insertion suddenly works for login as well
as screen unlock.

-Bob

Martin Paljak wrote:

> On Tue, Oct 04, 2005 at 01:25:11PM -0700, Bob Doolittle wrote:
>  
>
> > I don't understand your conclusion here.  PAM is
> > request-response, but this has nothing to do with wanting a
> > username first.  There is no such requirement.  A username
> > request/response is no different from any other user
> > interaction, and there is no requirement that this be one of
> > the interactions.
> >    
> As I said it was possible that i am wrong. Last time when i worked on this 
> issue it was 2002 i think.. Then i was left with the impression that it was not easy/possible
> to achive the kind of functionality i hoped for. Maybe i did not dig too deep though or
> it was just a sad combination of software stacked up so that it did not work so.
>
> I'll STFW/RTFM a bit more on the topic.
>
>  
>
> > If *MUSCLE* provides an event notification mechanism for
> > smartcard-insert, then a PAM module can block waiting for
> > this event.  When it receives such an event, it can access
> > the card to read the username, set PAM_USER, then do
> > whatever other interactions are required.
> >    
>
> I guess at that time i even didn't work with GDM but pure login services...
>
>
> peace,
> m.
>