Re: [gdm-list] how to use authentication feature of GDM in a screen saver



On Thu, Apr 08, 2010 at 04:12:27PM -0400, Ray Strode wrote:
> This same worker already has some stub code for doing
> reauthentication.  It might make sense to flesh that stub code out
> rather than starting a new worker and getting a fresh pam handle.
> This may cause issues in practice.  I haven't tried it.
> 
it is indeed very likely that it will cause issues. the pam_krb5 module
has done nasty things in the past when i tried to REFRESH_CRED from a
setuid root unlocker (hmm, i still haven't tested what would happen if i
reset the real uid to root as well). but then, you may have the
resources to verify all modules and fix the broken ones. it is
definitely The Right Thing To Do (TM) imo.

> [...] there is always a greeter on vt1 (or maybe vt7 depending on how
> you have things configured).  Whenever you login, the session is
> started on a brand new vt, and the greeter sticks around on its vt.
> [...]
> 
a "sticky" factory server might be a tad expensive resource-wise.
i'd fire up a new server only when a new session is requested or when
any session gets locked.
otoh, starting up a new x server and greeter for any type of
locking/switching may make that function anything but fast (though you
are less likely to have that problem than me with kdm).
in any case i see two fundamental problems:
- there *may* be pam modules which can't deal with PAM_XDISPLAY not
  belonging to the actual session
- if there is only one screen saver server, who gets to configure the
  it? :-D
  no, seriously. some users will complain if only root can configure
  "their" screen saver. this is only an issue for actual multi-user
  systems, of course.

i actually wonder how to integrate fast user switching with screen
locking. the basic switching interface (outside an active session)
should be most probably just a login screen with the list displaying
which users already have active sessions, and the cursor focus the user
who's session was last active. but i wonder whether one should get
straight into that mode or whether it should be reached via a separate
menu point from a more classical "user bound" screen lock.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]