Re: [gdm-list] [RFE] A modular gdm greeter

["Ray Strode" <halfline gmail com>]

Hi,

> Thinking some more I am not sure, a single stack could easily implement
> a 2 factor authentication by just chaining 2 pam modules:
> user/pass + fingerprint for example ..
Well there is one piece of information that all PAM modules have
access to and are expected to handle--that's PAM_USER.

So it's fairly easy to say, "Please enter your username or do
something else".  Then the pam_dosomethingelse module can handle its
special thing, or just defer to the next module in the stack instead
if the user enters a username.

Likewise, it's fairly straight forward to require the user to do more
than one thing, but one at a time.  "Please swipe your finger" (wait
for the swipe) "Please enter your local password"

The hard part comes when you want to support two or more exotic things
at the same time in arbitrary order.  Since pam starts at one module
in the stack and moves on to the next and the next.  Like I said
above, if one the things is username, it's easy.  You just make the
top module in the stack ask for a username and punt to the next
module.  username is special in this regard, though, because pam_start
takes a username as an argument, so PAM modules are expected to handle
it being around when they start up.

Anyway, I'm not sure what the right solution is to be more flexible.
Multiples simultaneous stacks sound reasonable.  I don't like the idea
of more than one stack in the same process at the same time.  PAM
modules tend to do nasty things, so they really need to be running in
their own process isolated from everything else (it makes sense
anyway, because you want to already be fork()'d before you
pam_open_session).

So, I think Brian's idea of multiple subprocesses, one-per-stack is
probably the best way to go, assuming multiple stacks is the best way
to go.

--Ray