Re: [gdm-list] how to "talk" with gdm

[Ray Strode <halfline gmail com>]

Hi,

On Thu, Apr 8, 2010 at 7:41 PM, Brian Cameron <brian cameron oracle com> wrote:
>
> Anderson"
>
>> I am still confused about what you've said, because pam_pkcs11 module is
>> enabled and is the first module on the stack. But it is only used (PIN
>> prompt appears) after the user press ENTER (I want to remove this
>> "enter" part - the prompt should appears when the smartcard is
>> inserted). So from the beginning of gdm start, simple-greeter presents
>> the user/password prompt before talk to PAM. At least (in the gdm source
>> coode, more precisily simple-greeter) we got .glade file with login
>> window using show_widget("login_window", "auth-input-box"...) that shows
>> the password prompt for the user... am I wrong?
>
> I believe it is a known limitation with PAM that it doesn't really work
> very well when you want to use multiple authentication methods (entering
> username/password and using SmartCard).  If you were just using a
> SmartCard you could make the PAM module hang until a card is entered,
> for example.
>
>> I think (but I am not sure) that developing a new pam module would not
>> solve my problem. Because I need to have a process running  and polling
>> dbus for a signal from the smartcard reader.
>
> I believe that Ray Strode is working on adding a pluggable mechanism
> that will support using multiple PAM authentication methods better, and
> he has some code written in a branch.  I think his approach involves
> writing some plugin code for GDM to make it handle your specific PAM
> module to address issues like this.  I have not tried Ray's code
> myself so I am not sure of the state of the code, but you might want to
> talk to him about this and possibly get involved with finishing that
> work to meet your needs.
It's here:

http://git.gnome.org/browse/gdm/log/?h=multi-stack

It has a still-in-progress plugin that works with pam_pkcs11.  I hope
to land this for 2.32/3.0.

--Ray