Re: [gdm-list] multiple pam prompts at the same time?

[Ludwig Nussel <ludwig nussel suse de>]

Brian Cameron wrote:
> Many people ask this question.  I'm not sure why people think that
> asking for both username and password in the same GUI makes such a
> significant usability improvement, but many people seem to think
> so.

The users are at fault as usual ;-)
http://www.betterdesktop.org/welcome/reports/report-login.html

> There aren't currently any plans to support this, but if you
> have an interest in coding this, then I'd be happy to help you
> understand the code and how to approach making the change.

Yeah, I'm thinking about it.

> That said, I think it would be good if GDM supported PAM modules
> that have conversations with multiple prompts.  It would be best
> if this could be coded in a generic way so GDM "just works" with
> different PAM modules without needing a lot of configuration.  In
> other words, it would be best if GDM simply showed multiple entry
> fields based on what PAM wants to know.
> 
> Some concerns that need to be thought out...
> 
> - If PAM supports conversations with multiple prompts, I suppose
>    it could ask for 3 or 4 things, not just 1 or 2.  Both gdmlogin and
>    gdmgreeter would require some work to support an arbitrary number of
>    entry fields and connecting them to the PAM conversation properly.
>    The current logic is fairly simple since it assumes PAM asks for
>    one thing and GDM responds one-at-a-time.  I suspect it would be
>    a bit of work to make this more dynamic.

Yes. It's not just a gui only change. The communication protocol
between greeter and backend needs to be enhanced too. Atm the
backend sends a request and expects an immediate reply. With
mulitple prompts the backend needs to send several requests, let the
GUI process them all and receive the reply for all of them later. I
thought of introducing two new message types that designate start
and end of a 'registration form'. Messages sent between those
markers are supposed to be displayed at once then.

> - It isn't clear to me how this would work with gdmgreeter themes.
>    Would this require special gdmgreeter themes that have the right
>    number of entry fields defined?  If so, what happens if you use a
>    theme that has multiple entry fields defined but a PAM module that
>    wants a different number?  Also what happens if you use a theme
>    that just has one entry field defined but PAM wants more than 1?

The latter case is the easiest as you can serialize prompts, just as
it's done atm.

>    It would probably be better if GDM "just worked" without needing
>    any special tags in the theme file.  Perhaps if the PAM module
>    requests multiple prompts, then the theme just adapts and displays
>    multiple entry fields instead of one?

That would probably look ugly and upset the designer of the theme :-)

>    I'm not sure if this is
>    possible, though.  It might be necessary to require specific themes
>    that define multiple entry fields to work with such PAM modules.

The theme could also define a "prompt area" that can be filled with
prompts until it's full.

> - How would GDM know which entry fields are "password" entry fields
>    and should not echo entry to the screen?  I assume it might be
>    possible to support PAM modules that ask for multiple passwords
>    for example.  Does the "conversation with multiple prompts"
>    protocol communicate to GDM which entries should not be echoed to
>    the screen?  I hope so, it would be best to not make the display
>    manager need to assume things about how the protocol works.

PAM has four message types, info message, error message, prompt with
echo on and prompt with echo off. GDM already handles that correctly
(well, mostly :-)). There are some hacks that match for 'Username'
or 'Password' in order to do fancy things in the GUI or to display
different help messages.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   SUSE LINUX Products GmbH, Development
 V_/_  http://www.suse.de/