Re: [gdm-list] pam_setcred and session unlocking
- From: "William Jon McCann" <mccann jhu edu>
- To: "Ray Strode" <halfline gmail com>
- Cc: gdm-list gnome org
- Subject: Re: [gdm-list] pam_setcred and session unlocking
- Date: Tue, 6 Nov 2007 14:16:41 -0500
On 11/6/07, Ray Strode <halfline gmail com> wrote:
> Hi,
>
> > So for trunk, do we think it is better to refresh the credentials for
> > the existing session in GDM or perhaps to make gnome-screensaver do it
> > in response the to Unlock signal from ConsoleKit?
> >
> > One possible advantage to doing it in gnome-screensaver is that we
> > ensure that the pam modules pick up the correct environment (for
> > things like krb cache files etc).
> >
> > One possible advantages to doing it in GDM is that it will work for
> > any type of session.
> So i'm pretty sure pam_setcred has to be called after the
> (re)authentication stack has been run, which means are choices are
> really:
>
> 1) call pam_setcred from GDM with the rest of the pam calls (status quo)
> 2) run the entire stack from gnome-screensaver and proxy the entire
> conversation to the gdm UI.
You're right. That is an important distinction to make.
> 2 is obviously a lot more work than 1, but 1 probably won't work for
> some PAM modules (modules that store credentials in per-session state,
> like kernel keyring). Maybe the answer is 1 now and 2 later, not
> sure. Note "won't work" means don't refresh credentials, not fail
> entirely, so maybe not so bad.
Yeah. So what I'll do is split up the Verification step into its
components: authenticate, authorize, and accredit. And when we unlock
an existing session we can use a separate reaccredit method.
Jon
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]