Re: [gdm-list] multiple pam prompts at the same time?

[Brian Cameron <Brian Cameron Sun COM>]

Ludwig:

> > That said, I think it would be good if GDM supported PAM modules
> > that have conversations with multiple prompts.  It would be best
> > if this could be coded in a generic way so GDM "just works" with
> > different PAM modules without needing a lot of configuration.  In
> > other words, it would be best if GDM simply showed multiple entry
> > fields based on what PAM wants to know.
> >
> > Some concerns that need to be thought out...
> >
> > - If PAM supports conversations with multiple prompts, I suppose
> >    it could ask for 3 or 4 things, not just 1 or 2.  Both gdmlogin and
> >    gdmgreeter would require some work to support an arbitrary number of
> >    entry fields and connecting them to the PAM conversation properly.
> >    The current logic is fairly simple since it assumes PAM asks for
> >    one thing and GDM responds one-at-a-time.  I suspect it would be
> >    a bit of work to make this more dynamic.
>
> Yes. It's not just a gui only change. The communication protocol
> between greeter and backend needs to be enhanced too. Atm the
> backend sends a request and expects an immediate reply. With
> mulitple prompts the backend needs to send several requests, let the
> GUI process them all and receive the reply for all of them later. I
> thought of introducing two new message types that designate start
> and end of a 'registration form'. Messages sent between those
> markers are supposed to be displayed at once then.

This seems reasonable.  You will probabably need to take two different
approaches for gdmlogin and gdmgreeter.

Since the GUI for gdmlogin is controlled by the gui/gdmlogin.c code,
it probably isn't a big deal to add multiple entry fields on the
fly and just make sure that the GUI looks okay.

However, for gdmgreeter, since it's appearance is controlled by the
theme XML file, I suspect it might be necessary to make some new XML
tags where the theme can specify where the multiple entry fields
should display.  Then if gdmgreeter gets a message that requests
multiple things, it can know where to put the entry fields on the
screen layout.  If the theme does not support the multiple entry
fields, then the requests will likely need to be serialized with
gdmgreeter asking for them one at a time until they are all answered
and then process them at once.  Just a guess of how it could work.

> > - It isn't clear to me how this would work with gdmgreeter themes.
> >    Would this require special gdmgreeter themes that have the right
> >    number of entry fields defined?  If so, what happens if you use a
> >    theme that has multiple entry fields defined but a PAM module that
> >    wants a different number?  Also what happens if you use a theme
> >    that just has one entry field defined but PAM wants more than 1?
>
> The latter case is the easiest as you can serialize prompts, just as
> it's done atm.
>
> >    It would probably be better if GDM "just worked" without needing
> >    any special tags in the theme file.  Perhaps if the PAM module
> >    requests multiple prompts, then the theme just adapts and displays
> >    multiple entry fields instead of one?
>
> That would probably look ugly and upset the designer of the theme :-)

Yes, you are probably right.  As I mention above, perhaps the best
bet is to add some new label/entry tags to the XML format.  Currently we
only support "pam-prompt" for the label and "user-pw-entry" for the
entry field.  Perhaps we could also support "pam-prompt2",
"user-pw-entry2", "pam-prompt3", user-pw-entry3", etc.

Then if the PAM module supports multiple entries, gdmgreeter will
display the multiple entry fields allowing the user to enter them
at the same time.

One possible headache would be, what happens if the theme supports
less entries than the PAM module (e.g. PAM wants 3 but the theme
supports 2).  Perhaps gdmgreeter would just show one at a time in
all cases where the PAM module wants more than the theme supports.

> >    I'm not sure if this is
> >    possible, though.  It might be necessary to require specific themes
> >    that define multiple entry fields to work with such PAM modules.
>
> The theme could also define a "prompt area" that can be filled with
> prompts until it's full.

Yes, this could also work.

> > - How would GDM know which entry fields are "password" entry fields
> >    and should not echo entry to the screen?  I assume it might be
> >    possible to support PAM modules that ask for multiple passwords
> >    for example.  Does the "conversation with multiple prompts"
> >    protocol communicate to GDM which entries should not be echoed to
> >    the screen?  I hope so, it would be best to not make the display
> >    manager need to assume things about how the protocol works.
>
> PAM has four message types, info message, error message, prompt with
> echo on and prompt with echo off. GDM already handles that correctly
> (well, mostly :-)). There are some hacks that match for 'Username'
> or 'Password' in order to do fancy things in the GUI or to display
> different help messages.

Yes.  Also these hacks are to support translation.  Remember that on
some systems PAM is not localized so GDM tries to work around this
by displaying its own messages which are known to be localized by
GDM itself.  If we take out this code, then users with such PAM
modules who don't use the default English language would be upset.

That said, I'm not really sure if such systems exist anymore.  This
may have been a hack to fix things a long time ago, but now PAM
might be better about being properly localized in modern OS
distros.

I wouldn't be opposed to taking this out, and users with problems
can go complain to get the PAM bugs fixed rather than GDM trying
to fix such problems for them.  On the other hand, it might be
nice if we make this a GDM configuration option so the messages
can be turned on by users who need them.  With the understanding,
of course, that they only work with the normal/default PAM module.

Brian