Re: [gdm-list] gnome-screensaver authenticates users through GDM



Alan Coopersmith wrote:
Brian Cameron wrote:
IMO a screen saver should call pam_authenticate immediately when the
screen is locked, to allow for such mechanisms. What would be the
purpose in waiting?
Yes, it does make sense to show the lockscreen immediately, and
after a timeout show the eye-candy, that's true.  That's how lock
screen works currently, I believe.
Sun's fork of xscreensaver currently does this and it annoys users.
If we were redesigning it today instead of moving to gnome-screensaver,
the path I'd take would be to start the pam conversation immediately,
but don't show the authentication dialog until the PAM conversation
prompts for user input and the input is non-idle - for the common case
of unlock with a password, this would appear to the user as not asking
for a password until they move the mouse, even though the PAM conversation
may have been running for hours, but would allow cases such as smartcard
authentication to proceed when the smartcard was inserted without having
to hit the mouse too.

Interesting distinction between "calling pam_authenticate immediately" and "displaying the lockscreen immediately". I like your suggestion as it seems to offer the best of both worlds.

I would however caution that the screen should be blanked as soon as it is locked, before calling pam_authenticate. You should not rely on PAM module behavior to cause the screen to become blanked. A PAM module may never call the conversation function, for example. It may block and rely on some sort of system or device behavior to unblock and possibly return PAM_SUCCESS without ever calling the conversation function. The screen needs to be blanked during such a period so the desktop is not visible.

-Bob



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]