[gdm-list] GDM in multi-display mode and as lock screen
- From: Brian Cameron <Brian Cameron Sun COM>
- To: gdm-list gnome org
- Subject: [gdm-list] GDM in multi-display mode and as lock screen
- Date: Wed, 04 Jun 2008 16:57:57 -0500
Over the past two weeks, I have been working with the Sun Ray team
and helping them integrate better with GDM. We did a fair bit of work
exploring different options with GDM and I wanted to share what we
covered and discovered with the rest of the GDM community.
1. Sun Ray and GDM 2.22
I think the GDM community will be happy to hear that we were able
to get Sun Ray working fairly well with GDM 2.22.0. The reason
this is exciting is because it demonstrates that GDM works well
in a multi-display mode. We tested with about 10 displays running
at once, and it seemed to work great.
To get SRSS working, we had to patch GDM 2.22.0 to work with the
PreSession and PostSession hooks, which had not yet been enabled
in the rewrite. I was able to get a fix for this upstream into
GDM SVN head [2].
We did our testing using the gdmdynamic patch which is now available
via bugzilla [1]. I believe this is the only way, at the moment, to
make GDM 2.22.0 behave in a multi-display fashion. We did find some
minor usability issues, though.
We noticed, for example, that g-s-d seems unable to draw the
background on any display except for DISPLAY :0. All other displays
have the gray Xserver default background. We also noticed that when
GDM doesn't find any users to display in the face browser, that the
GUI dialog seems to have problems resizing itself. Hitting the
"Cancel" button, for example, would cause the dialog to resize so
thin that you could no longer see what you were entering in the
text entry field. Perhaps the fact that the "Reboot" and "Shutdown"
buttons are turned off by default on Solaris caused these sorts of
problems to be more visible.
So this means that if people using SRSS on Linux want to try out
running SRSS with GDM 2.22.0, it seems to work fairly well - at
least for testing and development purposes.
2. Using GDM as a lock screen program
From October, 2007 through January, 2008 there was some discussion
about the merits of using GDM as a lock screen program and about
how Trusted Path applies to lock screen [3].
The Sun Ray team wants to use GDM as a lock screen program because
they have several issues using the default gnome-screensaver or
xscreensaver lock screen program. Their main issue seems to be
that there are situations like when a user opens a GTK+ menu, this
causes a screen grab from the GTK+ program. Then if a user pulls
out their SmartCard, the screen lock program fails to be able to
lock the screen since the screen is already grabbed. Leaving the
session in a non-locked state is a serious problem, so to solve
this they wrote their own lock screen dialog. Now, when a user
tries to re-connect to their previous session, the Sun Ray server
will create a brand new Xserver session which only is running their
lock screen dialog as the root user. When the user authenticates,
this session is destroyed, and the user is reconnected to their
real session. By isolating the screen lock in a separate session
they avoid worrying about how to manage dealing with any existing
screen locks in the user's session.
I understand that the GDM 2.22/2.23 developers are considering a
similar approach for handling lock screen in the future. It would be
interesting to hear what thoughts and designs (even if very
preliminary) are being considered, so we can work better together.
Obviously showing the lock screen dialog in a separate isolated
session (rather than the user session) is more secure - especially if
the GUI dialog is running as a different user. To support a11y in
a Trusted Path fashion, you really want any a11y tools needed to
navigate the login screen to also run as a separate user. Otherwise
it is fairly simply for trojans to snoop on or interfere with the
lock screen dialog - violating Trusted Path.
Now the Sun Ray team wants to replace their existing lock screen
dialog with GDM, so that it has accessibility support (amongst other
reasons). Working with them, we were able to get this to work with
GDM 2.20 with only a little work.
Since GDM supports per-display configuration, they specify PamStack
for the given display, specifying a lock screen pam stack. This
alternative pam stack pre-fills in the username so that GDM only
asks for the password. Then they use the PostLogin hook to terminate
the login dialog and trigger the display to be reset to the actual
user session after authentication. They also use per-display
configuration to specify a different gdmgreeter theme which avoids
showing buttons and menu choices that do not make sense when being
used as a lock screen.
So, it was neat to see that it was not much work to make GDM work
as a lock screen dialog. However, I see that using PamStack in a
per-display fashion is not really the ideal way to make this work.
Obviously it might not work well if the user has many Xnest displays
running on the same display, for example. This is not a bother for
Sun Ray since they don't support Xnest GDM. But if we want to
support this kind of feature in GDM moving forward, a more clever
way of configuring which PAM stack to use when launching the GDM
GUI.
The only serious problem we found with using GDM 2.20 as a lock
screen program is that it is not auditing properly. GDM obviously
needs some mechanism so it knows to audit differently when acting
as a login screen versus a lock screen.
So, in summary, this work made me realize that to make GDM act as a
lock screen, you really only need a few additional features:
- The ability to specify an alternative PAM stack when launching a
GDM GUI.
- The ability to specify that auditing should be handled differently
when doing lock screen versus login.
- The ability to inform the GDM GUI to display itself a bit
differently to avoid showing options that do not make sense at
lock screen time.
- On Linux, where you want PAM to run as the user when handling
lock screen, the PAM code would need to know to drop to user
ownership and permission when authenticating lock screen.
I think the main advantage of using GDM as a lock screen dialog
is simply because making Trusted Path, accessibility, PAM, audit,
etc. all work properly together is hard. It is obviously easier to
just centralize this code in one place rather than in multiple
programs. Since, for example, GDM will likely have a rich set of
mechanisms for launching a11y features, it seems best to have this
sort of complicated logic in one place.
I do not think that it is necessarily essential for Sun Ray to
support lock screen via GDM. If a different approach is developed
that resolves their underlying problems, I am sure the Sun Ray
team would be happy to more simply use a more general approach
rather than having their own custom solution. However, I think
that using GDM also as a lock screen program is an interesting
idea, and I wanted to let people know that it was pretty easy to
get GDM 2.20 to behave as a reasonably functional lock screen
dialog. This does not yet work as well with GDM 2.22 since there
is obviously no way to specify a different PamStack value when
launching a specific GDM GUI.
Brian
---
[1] http://bugzilla.gnome.org/show_bug.cgi?id=536355
[2] http://bugzilla.gnome.org/show_bug.cgi?id=536371
[3]
http://mail.gnome.org/archives/screensaver-list/2007-October/msg00000.html
http://mail.gnome.org/archives/screensaver-list/2007-November/msg00000.html
http://mail.gnome.org/archives/screensaver-list/2007-December/msg00003.html
http://mail.gnome.org/archives/screensaver-list/2008-January/msg00000.html
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
