Re: [gdm-list] Smartcard support in GDM?

[gelgey vintela com]

G'day,

> gelgey vintela com wrote:
> > [Apologies if this has been asked before, but the gdm-list archives
> > appear to be empty]
>
> Where were you looking for the archives?  Perhaps you found a bad URL
> that needs to be fixed.

I was looking at http://mail.gnome.org/archives/gdm-list/, which was
recently displaying the message "No messages have been posted to this
list yet, so the archives are currently empty". Although now it appears
to be back up.

> The downside is that PAM has no good way of driving multiple sources
> of authentication concurrently, so it's painful (at best) to try to
> do something like "enter your username or insert your smartcard".

The above scenario is what I was trying to solve. I've got a PAM module
that does PKCS#11 and simply requests a PIN if a token is present, but
if a token is not present then there must be some way to communicate to
the user that password-based or token-based authentication is possible,
and for the PAM module to determine which one was selected.

I'm aware that PAM-enabled applications (such as GDM) should be neutral
as far as authentication mechanisms are concerned. But I could not see a 
way of communicating back to PAM that one or another authentication 
option had been selected, without making GDM at least respond to token 
insertion events. A kludge to get around the limitations of PAM, as you 
mentioned.

> The simplest way to proceed is to ask the user to "enter your
> username, or insert your card and then click 'restart' or 'OK'", and
> define the PAM stack in such a way that it runs your PAM module on
> 'restart' or 'OK'.  This isn't very slick but it works

Not a very pleasing user experience, but it may be the way to go. I 
assume that clicking "restart" or "OK" instead of entering a username 
means that GDM returns a PAM conversation error?

-- Geoff