[gdm-list] security token monitoring architecture



Hey Brian,

So I have written code that uses NSS to load a PKCS11 driver and
listen for smart card insertion and removal events. It's a small
gobject that emits "security-token-inserted" and
"security-token-removed" signals.

What I'd like to do is add some configuration keys

daemon/SecurityTokensEnable, daemon/SecurityTokensModule, and
security/SecurityTokensPamStack

The first key would turn on the security token monitor on startup, the
second key would optionally load the specified pkcs11 module, and the
third one would be an alternative pam stack to use on local displays
when the smart card is inserted.

I currently have some code in gdm.c to listen for the inserted and
removed signals and to reset pam in those cases.  Doing it inprocess
has a number of advantages:

1) we don't have to manage the lifecycle of another daemon (which is
intriniscally tied to the lifecycle of the gdm daemon)
2) we don't have to communicate to gdm through its external IPC
mechanisms, instead we can just talk to the slave directly.
3) we can put login related smart card UI in gdmsetup.

Even if the security token monitor is in process, we would soley be
using it to listen for insertion and removal events to reset PAM.  PAM
would do all the heavy lifting.

I could conceivably make the token monitoring code a separate daemon
and move it to utils, but I'd like to avoid that if possible.

Thoughts?



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]