Re: [gdm-list] gnome-screensaver authenticates users through GDM

[Bob Doolittle <Robert Doolittle Sun COM>]

Alan Coopersmith wrote:
> Brian Cameron wrote:
>   
> > > IMO a screen saver should call pam_authenticate immediately when the
> > > screen is locked, to allow for such mechanisms. What would be the
> > > purpose in waiting?
> > >       
> > Yes, it does make sense to show the lockscreen immediately, and
> > after a timeout show the eye-candy, that's true.  That's how lock
> > screen works currently, I believe.
> >     
> Sun's fork of xscreensaver currently does this and it annoys users.
> If we were redesigning it today instead of moving to gnome-screensaver,
> the path I'd take would be to start the pam conversation immediately,
> but don't show the authentication dialog until the PAM conversation
> prompts for user input and the input is non-idle - for the common case
> of unlock with a password, this would appear to the user as not asking
> for a password until they move the mouse, even though the PAM conversation
> may have been running for hours, but would allow cases such as smartcard
> authentication to proceed when the smartcard was inserted without having
> to hit the mouse too.
>   

Interesting distinction between "calling pam_authenticate immediately" 
and "displaying the lockscreen immediately". I like your suggestion as 
it seems to offer the best of both worlds.

I would however caution that the screen should be blanked as soon as it 
is locked, before calling pam_authenticate. You should not rely on PAM 
module behavior to cause the screen to become blanked. A PAM module may 
never call the conversation function, for example. It may block and rely 
on some sort of system or device behavior to unblock and possibly return 
PAM_SUCCESS without ever calling the conversation function. The screen 
needs to be blanked during such a period so the desktop is not visible.

-Bob