Re: [gdm-list] pam_setcred and session unlocking

From: "William Jon McCann" <mccann jhu edu>
To: "Ray Strode" <halfline gmail com>
Cc: gdm-list gnome org
Subject: Re: [gdm-list] pam_setcred and session unlocking
Date: Tue, 6 Nov 2007 14:16:41 -0500

On 11/6/07, Ray Strode <halfline gmail com> wrote:
> Hi,
>
> > So for trunk, do we think it is better to refresh the credentials for
> > the existing session in GDM or perhaps to make gnome-screensaver do it
> > in response the to Unlock signal from ConsoleKit?
> >
> > One possible advantage to doing it in gnome-screensaver is that we
> > ensure that the pam modules pick up the correct environment (for
> > things like krb cache files etc).
> >
> > One possible advantages to doing it in GDM is that it will work for
> > any type of session.
> So i'm pretty sure pam_setcred has to be called after the
> (re)authentication stack has been run, which means are choices are
> really:
>
> 1) call pam_setcred from GDM with the rest of the pam calls (status quo)
> 2) run the entire stack from gnome-screensaver and proxy the entire
> conversation to the gdm UI.

You're right.  That is an important distinction to make.

> 2 is obviously a lot more work than 1, but 1 probably won't work for
> some PAM modules (modules that store credentials in per-session state,
> like kernel keyring).  Maybe the answer is 1 now and 2 later, not
> sure.  Note "won't work" means don't refresh credentials, not fail
> entirely, so maybe not so bad.

Yeah.  So what I'll do is split up the Verification step into its
components: authenticate, authorize, and accredit.  And when we unlock
an existing session we can use a separate reaccredit method.

Jon

References:
- [gdm-list] pam_setcred and session unlocking
  - From: William Jon McCann
- Re: [gdm-list] pam_setcred and session unlocking
  - From: Ray Strode

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]