Re: [gdm-list] gnome-screensaver authenticates users through GDM

From: Bob Doolittle <Robert Doolittle Sun COM>
To: Jeff Cai <Jeff Cai Sun COM>
Cc: gdm-list gnome org, screensaver-list gnome org
Subject: Re: [gdm-list] gnome-screensaver authenticates users through GDM
Date: Sun, 17 Jan 2010 15:44:50 -0500

Bob Doolittle wrote:

Another note that may help here.
Most standard authentication modules (e.g. pam_unix_auth) will wind upcalling pam_get_user() if the PAM_USER item is not set, but if thePAM_USER item is set, it will only authenticate that user (e.g. promptfor password).

Let me correct this a bit: It is pam_get_user *itself* that bypasses theuser interaction if PAM_USER is already set.

So PAM modules don't have to be smart about this, the smarts are builtinto pam_get_user which they simply always call.


-Bob

So, the same authentication module is used in both Display Managerslike GDM (where initially PAM_USER is typically not yet set, so ausername prompt/response interaction occurs) and Screen Lockers likegnome-screensaver (where initially PAM_USER *will* be set beforepam_authenticate is called, so no username prompt/response interactionoccurs). Something like gnome-screensaver will call pam_start() andthen pam_set_item(PAM_USER, ...) during application initialization.


-Bob

Brian Cameron wrote:


Jeff:

1) gnome-screensaver becomes a program which just keeps track of
when the session is idle long enough to lock the screen, does
the screen lock and shows eye-candy. When the user hits a key or
moves the mouse, it would send GDM a D-Bus message telling it to
displays the normal GDM login window to ask the user to
authenticate. This would cause GDM to start the login dialog with
the lockscreen PAM stack so it just asks for the password (or
whatever the lockscreen PAM stack is defined to do).

Not login dialog, since username is not needed. I guess a new dialogmay

be needed or the old login dialog
needs to hide username with a different flag.


GDM's login dialog is really just a PAM dialog.  It will prompt the user
for whatever PAM says.  The GDM dialog knows nothing about usernames or
passwords.  Only PAM does.

Note in gdm-session-worker.c that gdm_session_worker_initialize_pam()
calls pam_start().  For the first argument to pam_start, GDM will pass
either "gdm" for normal GDM operations or "gdm-autologin" when GDM is
in automatic login mode.

This will cause GDM to use whatever PAM prompts are defined for the
"gdm" or "gdm-autologin" PAM stack in /etc/pam.conf.

So, if you wanted to make GDM GUI also work for lockscreen, one neeed
change would be to change the first argument of pam_start to the
lockscreen PAM stack name.  This would ensure it only asks for password
and not username, in the normal case.

You can refer to gnome-screensaver to see what it passes in as the
first argument to pam-start.  I am sure it is something other than
"gdm" or "gdm-autologin".

Brian
_______________________________________________
gdm-list mailing list
gdm-list gnome org
http://mail.gnome.org/mailman/listinfo/gdm-list


_______________________________________________
gdm-list mailing list
gdm-list gnome org
http://mail.gnome.org/mailman/listinfo/gdm-list

References:
- [gdm-list] gnome-screensaver authenticates users through GDM
  - From: Jeff Cai
- Re: [gdm-list] gnome-screensaver authenticates users through GDM
  - From: Brian Cameron
- Re: [gdm-list] gnome-screensaver authenticates users through GDM
  - From: Jeff Cai
- Re: [gdm-list] gnome-screensaver authenticates users through GDM
  - From: Brian Cameron
- Re: [gdm-list] gnome-screensaver authenticates users through GDM
  - From: Bob Doolittle

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]