Re: [gdm-list] My questions
- From: Bob Doolittle <Robert Doolittle Sun COM>
- To: Martin Paljak <martin paljak pri ee>
- Cc: gdm-list gnome org, Brian Cameron <Brian Cameron Sun COM>
- Subject: Re: [gdm-list] My questions
- Date: Tue, 04 Oct 2005 13:36:19 -0700
One final note. One of the really nice byproducts of doing
smartcard authentication in a PAM module is that you can
not only affect gdm, but screen lockers as well. It would
be pretty sad if we fixed up gdm to allow you to login with
a smartcard, but once your screen got locked you had to
type in a password to unlock it. By doing this in a PAM module,
and placing that PAM module on both gdm and the screen-locker's
stack, smartcard-insertion suddenly works for login as well
as screen unlock.
-Bob
Martin Paljak wrote:
On Tue, Oct 04, 2005 at 01:25:11PM -0700, Bob Doolittle wrote:
I don't understand your conclusion here. PAM is
request-response, but this has nothing to do with wanting a
username first. There is no such requirement. A username
request/response is no different from any other user
interaction, and there is no requirement that this be one of
the interactions.
As I said it was possible that i am wrong. Last time when i worked on this
issue it was 2002 i think.. Then i was left with the impression that it was not easy/possible
to achive the kind of functionality i hoped for. Maybe i did not dig too deep though or
it was just a sad combination of software stacked up so that it did not work so.
I'll STFW/RTFM a bit more on the topic.
If *MUSCLE* provides an event notification mechanism for
smartcard-insert, then a PAM module can block waiting for
this event. When it receives such an event, it can access
the card to read the username, set PAM_USER, then do
whatever other interactions are required.
I guess at that time i even didn't work with GDM but pure login services...
peace,
m.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]