Re: [gdm-list] GDM smartcard hack

[Brian Cameron <Brian Cameron Sun COM>]

Geoff:

> A while back I asked if there was any smartcard support in GDM. 

Since GDM supports PAM, it should be possible to define a PAM module
that will work with a SmartCard without needing to modify GDM.  There
might be some corner cases where the GUI can be improved to work
better with PAM in general when using custom PAM modules, but we'll
explore such issues when we have specific examples to discuss.

> All I really want at this point is to write out a PAM prompt such as
> "Insert card or enter username", and have GDM recognize if a card has
> been inserted. At that point the PAM conversation would return with an
> empty username and the PAM application would check if a card is present,
> and get the username from the card, etc.

It might be possible to get this sort of thing to work with one PAM
module, but probably better to have separate modules for keyboard entry
and SmartCard.  PAM isn't really designed for a single PAM module to
handle multiple kinds of authentication.

I'd make it work something like this...

The default PAM module would be the one for keyboard entry and would
provide the prompt you want that says "you can also insert a SmartCard".

This PAM module (or a separate daemon or a GTK_MODULE loaded into the
GDM daemon) should be listening for SmartCard insertion) and should
shutdown and restart GDM with the new PamStack configuration setting.
This would just mean modifying the GDM configuration file and telling
GDM to update the setting via gdmflexiserver --command "UPDATE_CONFIG 
key".  This PAM module should grab the username from the smartcard and
tell GDM to ask for password.

Likewise, upon SmartCard removal (or perhaps also after a timeout if the
user doesn't enter password in a long time), then the GUI should be
reset with the original PamStack.

Note that PamStack can be specified in per-display configuration, so you
can have different PamStack values for different displays.  In a multi-
display environment, this allows one user to be using SmartCard and
another user to be entering via keyboard simultaneously.  You can
specify the display with the key when using UPDATE_CONFIG for
per-display usage.

It might be a bit nicer if GDM were enhanced to not actually restart,
but tear down and rebuild the PAM stack on the fly.  Would be faster
and avoid flicker as GDM goes down and up.  But this is just a UI
improvement.

> I've got a hacked version of GDM that starts a thread (in the greeter
> process) when PAM_PROMPT is found. This thread monitors the card status
> and if a card status is "present" then it writes the special symbol STX
> to stdout. This is read by the slave process and returned via
> gdm_slave_greeter_ctl() function. The thread exits when either a card is
> found to be present or an actual username is obtained at the prompt. 

I don't think it is appropriate to hack the GDM GUI code with specific
code like this.  Each SmartCard implementation, fingerprint reader,
eye scanner, or whatever probably wants their own logic.  Not good to
clutter up the code.  I'd recommend putting the code listening for
SmartCard insertion/removal in a separate daemon, the PAM module
itself or a GTK_MODULE that you could load with the GDM daemon.

> For example, in daemon/verify-pam.c:
>
>   switch (msg[replies]->msg_style) {
>     case PAM_PROMPT_ECHO_ON:
>       ...
>
>       /* Start a thread that will recognize a token */
>       gdm_slave_greeter_ctl_no_ret(GDM_TOKEN, _("insert"));
>
>       /* Get a username. Token thread may force this to return */
>       s = gdm_slave_greeter_ctl (GDM_PROMPT, m);
>
>       /* Stop token thread */
>       gdm_slave_greeter_ctl_no_ret(GDM_TOKEN, _("stop"));
>
>       
> This "sort of" emulates entering an empty username at the prompt and
> seems to work, although I do worry about corrupting stdout (ie, user
> enters a name at the prompt and inserts a card at the same time).
>
> I've glossed over a lot of details, but it's quite a hack and I'm
> wondering if there is a better way of doing this than starting my own
> monitoring thread and writing directly to stdout. For example, is it
> better to push an event on the Gtk queue rather than writing directly to
> stdout?
>
> I haven't been following the GDM changes too closely, so maybe some kind
> of smartcard functionality or "start a user service on demand"
> functionality already exists.
>
> Any thoughts appreciated.

I think that there are better ways to integrate with PAM/SmartCard
support than hacking up the GDM code like you suggest.  Hopefully this
gives you some pointers about how to make it work.

Brian