Re: [gdm-list] multiple pam prompts at the same time?
- From: Brian Cameron <Brian Cameron Sun COM>
- To: Ludwig Nussel <ludwig nussel suse de>
- Cc: gdm-list gnome org
- Subject: Re: [gdm-list] multiple pam prompts at the same time?
- Date: Mon, 29 Jan 2007 14:31:42 +0800
Ludwig:
Many people ask this question. I'm not sure why people think that
asking for both username and password in the same GUI makes such a
significant usability improvement, but many people seem to think
so. There aren't currently any plans to support this, but if you
have an interest in coding this, then I'd be happy to help you
understand the code and how to approach making the change.
That said, I think it would be good if GDM supported PAM modules
that have conversations with multiple prompts. It would be best
if this could be coded in a generic way so GDM "just works" with
different PAM modules without needing a lot of configuration. In
other words, it would be best if GDM simply showed multiple entry
fields based on what PAM wants to know.
Some concerns that need to be thought out...
- If PAM supports conversations with multiple prompts, I suppose
it could ask for 3 or 4 things, not just 1 or 2. Both gdmlogin and
gdmgreeter would require some work to support an arbitrary number of
entry fields and connecting them to the PAM conversation properly.
The current logic is fairly simple since it assumes PAM asks for
one thing and GDM responds one-at-a-time. I suspect it would be
a bit of work to make this more dynamic.
- It isn't clear to me how this would work with gdmgreeter themes.
Would this require special gdmgreeter themes that have the right
number of entry fields defined? If so, what happens if you use a
theme that has multiple entry fields defined but a PAM module that
wants a different number? Also what happens if you use a theme
that just has one entry field defined but PAM wants more than 1?
It would probably be better if GDM "just worked" without needing
any special tags in the theme file. Perhaps if the PAM module
requests multiple prompts, then the theme just adapts and displays
multiple entry fields instead of one? I'm not sure if this is
possible, though. It might be necessary to require specific themes
that define multiple entry fields to work with such PAM modules.
I'm guessing this would require some research and thought.
- How would GDM know which entry fields are "password" entry fields
and should not echo entry to the screen? I assume it might be
possible to support PAM modules that ask for multiple passwords
for example. Does the "conversation with multiple prompts"
protocol communicate to GDM which entries should not be echoed to
the screen? I hope so, it would be best to not make the display
manager need to assume things about how the protocol works.
Brian
When I remind people that KDM's PAM support is broken and they
better use GDM I always get to hear that GDM doesn't support asking
for username and password at the same time. KDM's way to do that is
a nasty hack but since PAM modules can create conversations with
multiple prompts there is no need for such hacks IMO. pam_unix2
already supports asking for username and password at once. Now
applications just need to make use of it :-)
Are there any plans to support multiple text entries and messages at
the same time rather than processing one after another in gdm?
If you want to check how gdm behaves with weird pam conversations
you can try this module:
http://www.suse.de/~lnussel/pamwrapper/pam_testprompt-0.0_SVN39.tar.bz2
(alternatively http://software.opensuse.org/download/home:/lnussel/SLES_9/src/)
cu
Ludwig
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
