Re: [gdm-list] Separate username and password fields
- From: Brian Cameron <brian cameron oracle com>
- To: Ludwig Nussel <ludwig nussel suse de>
- Cc: gdm-list gnome org
- Subject: Re: [gdm-list] Separate username and password fields
- Date: Tue, 03 Aug 2010 08:35:57 -0500
Ludwig:
On 08/ 3/10 04:42 AM, Ludwig Nussel wrote:
Brian Cameron wrote:
I've never liked that GDM only shows one field. I have on occasion
started to type my username in only to then notice it's coming up in
dots because the prompt to the side actually reads Password, but my
research indicates that there is no way to configure to GDM to display
separate fields for username and password. Which is a shame. Given
that having only one field can evidently cause confusion I'd like to
ask the developers to consider adding a configuration option to
display separate username and password fields. I feel that is much
more user friendly than using a single field.
This usability issue is raised from time-to-time. Unfortunately, the
standard for handling authentication is PAM, and GDM also uses PAM.
While PAM makes it possible to integrate novel authentication mechanisms
(such as a fingerprint or SmartCard reader), its query/response protocol
does not support asking multiple questions at the same time.
Actually PAM does support multiple prompts at once. You just need a
module that actually asks for username and password in one
conversation (such as pam_unix2). Years ago I even made proof of
concept patch for GDM:
http://mail.gnome.org/archives/gdm-list/2007-February/msg00024.html
IIRC fixing the graphical greeter turned out to require too much
effort back then so I gave up.
You can not really assume that the PAM module will ask for username
and/or password. A PAM module may ask for any number of multiple
prompts. I believe PAM can support up to 64 prompts at once, so it
might be a bit complicated to generalize the dialog behavior so it
works reasonably for any random PAM module and also works as you
recommend it should for the username/password PAM module.
If it is not possible to implement a general solution, then another
option would be to hack the greeter to work in a special way with
specific PAM modules. It would be reasonable, I think, if GDM
supported a configuration option that would make the greeter work with
the username/password PAM module as you describe. If the feature
does not work with all PAM modules, then it would be necessary to add a
configuration option to specify whether GDM should use this feature or
not.
The current behavior of asking for input one-at-a-time is a bit
cumbersome, but reasonably simple to implement and works in all
situations.
As I said before, this issue has been raised before, but nobody has
yet provided a patch that implements this sort of feature in a good
way that works with general PAM modules. The issue is that the amount
of work to fix the usability bug properly is likely rather
significant. While the usability bug is annoying, I am not sure it
is really worth the amount of work required to fix it. That said,
if someone really wanted to spend the time to provide a well-written
patch that worked well generally with PAM, I am sure it would be
considered.
Brian
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
