Re: [gdm-list] My questions

["Philippe C. Martin" <pmartin snakecard com>]

On Tuesday 04 October 2005 09:44 pm, Bob Doolittle wrote:


>
> PAM is software.  To the extent that software can "handle"
> hardware events, yes :-)
>
OK
> For any type of hardware, such as smartcards, you need
> (or should have, at least) a framework/API to talk to it that
> expresses a useful model abstraction for talking to the
> hardware.  In the case of smartcards, you have MUSCLE.
> There's no reason that PAM can't use MUSCLE to talk to
> smartcards, or libusb to talk to USB devices, or specific
> hardware drivers for random devices, or whatever...
>
I do not use Muscle as I have my own framework - I guess my first job is to 
design a smart card event daemon based on that.

>
> Yes and no.  PAM gets control when the client (GDM)
> calls pam_authenticate().  This should happen when the
> client is ready for authentication to occur.  In GDM's case
> this is before proceeding to roll out a session for the user.
> It could certainly say "please insert your card".  I'm not sure
> what you mean by "click to logoff", but that sounds like
> something you want to happen within a session, not at
> authentication time.  PAM can't get involved after authentication
> has completed.  You don't need to authenticate to log off anyway,
> so I'm not sure why you'd want this.
>
Under windoze (and I like that feature), once you are logged in through the 
card, if you remove that card from the reader, the sessions locks. Then your 
options are
1) to insert your card again and authenticate yourself (so from the above, I 
have a problem with PAM)
2) logoff or restart/shutdown the PC


> >As two side questions, and assuming I've understood your meaning:
> >
> >1) how does PAM handle dialogs ?
>
> When the client calls pam_start() to initialize the PAM framework,
> it passes in a pointer to a "conversation function" that takes a
> string for a prompt and returns a string with the response.  The
> PAM service modules, when they want to do a user interaction, call
> the conversation function in the client.
>
> >2) where is the responsibility boundary between gdm and PAM
>
> pam_authenticate() is when the client (gdm) passes control
> to PAM.  Depending on what PAM modules you've configured in
> pam.conf, and how you've configured them, one or more
> modules might get control in succession.  Each does their
> notion of "authentication", interacting with the user as
> required, and returns PAM_SUCCESS if they are satisfied.  If
> all the configured modules return PAM_SUCCESS, then the
> pam_authenticate() returns PAM_SUCCESS to the client (gdm).
> If any module returns PAM_AUTH_ERR, then that gets returned
> to the client.  In the smartcard case, you probably expect
> admins to only configure your smartcard PAM module.  Maybe
> they'd also like to put a fingerprint scanner PAM module
> onto the stack for extra security, as well as a retina-scan
> PAM module :-).  It's up to the administrator to use one or
> all of these methods by configuring appropriate PAM modules
> for GDM (and any other authentication clients like screen lockers)
> in pam.conf.

I am still confused as to who handles the various dialog boxes: ex I insert a 
card and the dialog only allows for a PIN while if I click on "By hand", I 
can choose a user + password the usual way.

My feeling about this thread (thanks to all for the replies) is that I'd 
better start (sigh) with a hack and present the source for comments.


Regards,

Philippe

-- 
*************************************
Philippe C. Martin
SnakeCard, LLC
www.snakecard.com
+1 405 694 8098
*************************************