Re: [gdm-list] adding a command to externaly fill the username field

From: syrius ml no-log org
To: Bob Doolittle <Robert Doolittle Sun COM>
Cc: gdm-list gnome org
Subject: Re: [gdm-list] adding a command to externaly fill the username field
Date: Tue, 31 Jan 2006 23:59:50 +0100

Bob Doolittle <Robert Doolittle Sun COM> writes:

[...]
> I could imagine pam_sm_authenticate() logic like:
>
> Block for card-entry (maybe after putting up your own popup
>       window saying "Please insert card")
> Tear down popup window
> Read username off of unlocked portion of card
> Set PAM_USER to username
> Call conversation function with "Please enter PIN"
> Has another card insert or card remove event occurred while
>     we were blocked in the conversation function?
>  Yes: return PAM_AUTH_ERROR so we can start all over in the PAM stack
>  No: authenticate, and return PAM_SUCCESS or PAM_AUTH_ERROR
> Maybe you don't have to detect the card insert/card remove, just
> authenticate and it will fail if the card has changed (although if the card
> locks up after a certain number of failed authentication passes this
> is rather unfriendly since the user gets an unfair strike against them).

Ok.
The "press enter/cancel to restart the auth process" is not very
convenient, I would have prefered that to be handled by pam. (or
something else)

Hmm or before verifying the pin code, i could check if the card in the
reader is still the one of $username. (if not => PAM_AUTH_ERROR)

> Also, remember that at the PIN-entry stage GDM will be displaying
> "Welcome Fred, please enter PIN:".  So before George inserts his
> card he might very well realize he simply needs to press return
> first.  Same as the traditional password entry case, right?

I see, it's up to me to pass the username from pam to gdm.

>My last thoughts were about to write a greeter that would handle my
>>special needs :)
>>It seems for special needs like mines, pam is not enough. And using
>>pam would require more hacks than just quickly hacking a greeter.
>
> Care to elaborate?

Either way, i'll have to some dev.
Using the pam way only, users will have to press enter (or cancel) if
the login process is already waiting for a pin code.
I could hack gdm/gdmgreeter to reset the authentification process on
top of the pam library adaptation.
I could simply write a quite simple greeter that would do all the job.
Or I could re-ask for the best way to add a new fifo or socket command
to tell a greeter to fill the username field with something.

Anyway thanks Bob for your time and your answers.

I think I will go for a modified pam library talking to a smartcart
daemon. The pam library would talk to the daemon to :
 - ask for the username
 - check the pin code (if the username still match the one on the
    actual card)
 - ...

Possibly the daemon would send a SIGUSR1 to the correct greeter when
the card is removed, and the greeter would reset the authentification
process.

Thanks again.

--

Follow-Ups:
- Re: [gdm-list] adding a command to externaly fill the username field
  - From: Bob Doolittle

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]