Features/MultiplePAMStacksInGDM

From FedoraProject

< Features
Revision as of 15:07, 20 February 2009 by Rstrode (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Add Support for Multiple Simultaneous Authentication Conversations to Login Screen

Summary

Improve GDM's interaction with PAM so that it works with multiple simultaneous stacks at once.

Owner

  • Name: Rstrode

Current status

  • Targeted release: Fedora 11
  • Last updated: Feb 20, 2009
  • Percentage of completion: 65%

Detailed Description

Improve the GDM Login screen such that works better with multiple simultaneous authentication stacks. This will be accomplished by added a plugin framework to the GDM greeter that has APIs for plugins to instigate independent PAM conversations at the same time. Each plugin will be responsible for shipping it's own PAM service file and UI for driving the PAM conversation associated with that service file. Each plugin will also have the ability to affect the behavior of the login screen in response to external events (e.g., a smart card plugin might tell the login screen to start the PAM smart card authentication stack in response to a smart card getting inserted into the system).

Benefit to Fedora

GDM currently only supports running one PAM conversation at a time. This means if we want to support say Fingerprint OR username/password authentication, then we have to ship a PAM service file that has a specially crafted set of PAM stacks designed to run the fingerprint and username/password authentation modules in the right order. When there are just two modules working together it's not a huge problem, but if you want 3 possible methods of logging into the system (say username/password, fingerprint, AND smartcard) then the logic neccessary to achieve that in one PAM service file becomes difficult.

By running, e.g., the "smartcard" conversation indendently from the "password" conversation, we side step a lot of messy logic and module interaction issues.

Also, by having a plugin system specific to the GDM greeter, we can have UI that's less generic and more suited to the PAM conversations actually getting run.

Scope

Requires implementing the above mentioned features, discussing how this change will affect other parts of the system (e.g. authconfig) with the relevant parties, and documenting the feature.

Test Plan

Note.png
This test plan is way too general. We need to flesh it out more as the implementation details are figured out
  1. Configure the system to have multiple ways of authenticating
  2. Ensure that all ways work.
  3. Play around with authconfig and make sure things continue to work

User Experience

  1. A lot of users of the update version of GDM won't notice any change at all.
  2. Users who wish to use their laptop's fingerprint readers or company mandated smartcards will notice a slicker experience.

Dependencies

Contingency Plan

  • Shipping with the in-progress multi-stack patch but with only one stack enabled, or shipping without the patch and keeping the current behavior.

Documentation

Note.png
There are no docs written yet

Release Notes

Note.png
There are no release notes written yet