Re: [gdm-list] thoughts about face browser

[Brian Cameron <Brian Cameron Sun COM>]

Ray:

> The truth is we can really only show 10 or so users in a list before
> the list becomes inconvenient to use, anyway.

This isn't really true.  I used to make such assertions as well, until
several people from the GDM user community told me that they use the
Face Browser with up to ~200 users, even over NFS and like it.  I guess
nothing accounts for taste, but there are some people who find the
current Face Browser useful for more than 10 users.

I think the most common complaints I hear about the existing Face
Browser is that people would like it to be easier to search for
users in a long list.  For example, if I enter "abc" into the
username field, then perhaps the face browser should scroll to
users that start with "abc".

> What would you guys say if we designed the new face browser to
> initially only show local users by default,and then show a separator
> and a "Log in as another user...' button that would allow the user to
> type the username?
>
> I think it might also be useful if we made the face browser keep track
> of recent logins, and filter by that. The idea being that users who
> frequently do a network login on the machine would show up in the face
> browser, but network logins that never happen won't show up.

That seems reasonable.  The current Face Browser allows you to use
the Include configuration option to specify which users should appear in
the list.  A feature which remembers which users that have actually
logged in, and shows these users in the Face Browser seems like a
reasonable approach to make it work better with NFS.

Also, a Face Browser doesn't make sense in some PAM configurations.
So it probably makes sense to continue to support the ability to turn
on or off the Face Browser itself.

If people think having it on in the default configuration makes sense,
that is okay with me.  In the past I have argued that this should be off
by default because it exposes usernames which would be seen as reducing
security for some.  However, I do realize that most distros turn this on
by default, so if we want to decide that users or distros who think this
is a security concern need to turn it off, then that is okay with me.

I think it will be a problem, though, if we hardcode the greeter to
require the Face Browser.

> Thinking about this a bit more, there are really a few different types
> of setups that the greeter may be faced with and that we may want to
> try to deal with some way or another:
>
> - System only has root account
> - System only has root account and one other account
> - System has a few local accounts
> - System has a few local accounts and a lot of accounts on the network.

I do think it would be nice if the face browser or GDM were a bit more
clever about figuring out the setup of the machine and tailored the
login experience for that type of user.  For example, if there is only
one user on the machine, perhaps GDM should just ask for the password
and not bother asking for the username?  However, considering that
nobody has yet implemented patches to do this sort of thing makes me
think it isn't high priority.

> We probably don't want to encourage root login, so maybe we should
> provide a mechanism to create an account if there is only a root
> account available?

While we don't want to encourage root login, we probably should allow
people to root login if they have configured GDM to allow this.  I'm
sure people will complain if GDM can't be configured to allow root
login.  Currently, by default stable GDM does allow root login, but
I would be agreeable if we wanted to change this to false by default
for better security.

However, if we were to do this, we'd need to figure out some way for
users to configure GDM on their first boot up.  Currently, I'd bet many
users need to login as root to configure their systems - especially if
their distro doesn't turn on the ability to run gdmsetup from the login
program by default.

Perhaps, as suggested, the ability to create new users from the login
screen might be a reasonable way to solve this.

> If there is only one account available, maybe we should consider doing
> the login in the background automatically?  If we do this, we should
> probably make sure the account is locked while the login is happening
> (which means we should use the factory greeter thing Jon has been
> working on?)

I'm not comfortable doing things like logging into accounts 
automatically without the sysadmin or distro doing some configuration
first to indicate that they want this behavior.  At the very least
distros should be able to configure whether such behavior is turned on
or off.  GDM already supports automatic login, which can be used to
get this behavior with a bit of setup.  Perhaps we could make the way
automatic login is configured a bit easier, especially on systems
with just one user.

Brian