Re: [gdm-list] how to "talk" with gdm

From: Brian Cameron <brian cameron oracle com>
To: Anderson Goulart <global codekab com>
Cc: gdm-list gnome org
Subject: Re: [gdm-list] how to "talk" with gdm
Date: Thu, 08 Apr 2010 18:41:56 -0500


Anderson"

I am still confused about what you've said, because pam_pkcs11 module is
enabled and is the first module on the stack. But it is only used (PIN
prompt appears) after the user press ENTER (I want to remove this
"enter" part - the prompt should appears when the smartcard is
inserted). So from the beginning of gdm start, simple-greeter presents
the user/password prompt before talk to PAM. At least (in the gdm source
coode, more precisily simple-greeter) we got .glade file with login
window using show_widget("login_window", "auth-input-box"...) that shows
the password prompt for the user... am I wrong?


I believe it is a known limitation with PAM that it doesn't really work
very well when you want to use multiple authentication methods (entering
username/password and using SmartCard).  If you were just using a
SmartCard you could make the PAM module hang until a card is entered,
for example.

I think (but I am not sure) that developing a new pam module would not
solve my problem. Because I need to have a process running  and polling
dbus for a signal from the smartcard reader.


I believe that Ray Strode is working on adding a pluggable mechanism
that will support using multiple PAM authentication methods better, and
he has some code written in a branch.  I think his approach involves
writing some plugin code for GDM to make it handle your specific PAM
module to address issues like this.  I have not tried Ray's code
myself so I am not sure of the state of the code, but you might want to
talk to him about this and possibly get involved with finishing that
work to meet your needs.

Another approach might be to have a daemon listening for the smartcard
insertion and kill the greeter upon insert.  Then the greeter will
restart and start the PAM conversation with the SmartCard inserted and
the PAM module should be able to fill in the username value.  With the
old GDM you could send it a HUP signal to do this.  I'm not sure if the
new GDM (2.21 and later) supports this, but if it does not, then this
functionality should be easy to add back.  This might be an easier
approach than adding new D-Bus signals to GDM.

Brian

Follow-Ups:
- Re: [gdm-list] how to "talk" with gdm
  - From: Ray Strode

References:
- [gdm-list] how to "talk" with gdm
  - From: Anderson Goulart
- Re: [gdm-list] how to "talk" with gdm
  - From: Brian Cameron
- Re: [gdm-list] how to "talk" with gdm
  - From: Anderson Goulart

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]