Re: [gdm-list] gnome-screensaver authenticates users through GDM
- From: Bob Doolittle <Robert Doolittle Sun COM>
- To: Jeff Cai <Jeff Cai Sun COM>
- Cc: gdm-list gnome org, screensaver-list gnome org
- Subject: Re: [gdm-list] gnome-screensaver authenticates users through GDM
- Date: Sun, 17 Jan 2010 15:44:50 -0500
Bob Doolittle wrote:
Another note that may help here.
Most standard authentication modules (e.g. pam_unix_auth) will wind up
calling pam_get_user() if the PAM_USER item is not set, but if the
PAM_USER item is set, it will only authenticate that user (e.g. prompt
for password).
Let me correct this a bit: It is pam_get_user *itself* that bypasses the
user interaction if PAM_USER is already set.
So PAM modules don't have to be smart about this, the smarts are built
into pam_get_user which they simply always call.
-Bob
So, the same authentication module is used in both Display Managers
like GDM (where initially PAM_USER is typically not yet set, so a
username prompt/response interaction occurs) and Screen Lockers like
gnome-screensaver (where initially PAM_USER *will* be set before
pam_authenticate is called, so no username prompt/response interaction
occurs). Something like gnome-screensaver will call pam_start() and
then pam_set_item(PAM_USER, ...) during application initialization.
-Bob
Brian Cameron wrote:
Jeff:
1) gnome-screensaver becomes a program which just keeps track of
when the session is idle long enough to lock the screen, does
the screen lock and shows eye-candy. When the user hits a key or
moves the mouse, it would send GDM a D-Bus message telling it to
displays the normal GDM login window to ask the user to
authenticate. This would cause GDM to start the login dialog with
the lockscreen PAM stack so it just asks for the password (or
whatever the lockscreen PAM stack is defined to do).
Not login dialog, since username is not needed. I guess a new dialog
may
be needed or the old login dialog
needs to hide username with a different flag.
GDM's login dialog is really just a PAM dialog. It will prompt the user
for whatever PAM says. The GDM dialog knows nothing about usernames or
passwords. Only PAM does.
Note in gdm-session-worker.c that gdm_session_worker_initialize_pam()
calls pam_start(). For the first argument to pam_start, GDM will pass
either "gdm" for normal GDM operations or "gdm-autologin" when GDM is
in automatic login mode.
This will cause GDM to use whatever PAM prompts are defined for the
"gdm" or "gdm-autologin" PAM stack in /etc/pam.conf.
So, if you wanted to make GDM GUI also work for lockscreen, one neeed
change would be to change the first argument of pam_start to the
lockscreen PAM stack name. This would ensure it only asks for password
and not username, in the normal case.
You can refer to gnome-screensaver to see what it passes in as the
first argument to pam-start. I am sure it is something other than
"gdm" or "gdm-autologin".
Brian
_______________________________________________
gdm-list mailing list
gdm-list gnome org
http://mail.gnome.org/mailman/listinfo/gdm-list
_______________________________________________
gdm-list mailing list
gdm-list gnome org
http://mail.gnome.org/mailman/listinfo/gdm-list
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]