Add Support for Multiple Simultaneous Authentication Conversations to Login Screen
Improve GDM's interaction with PAM so that it works with multiple simultaneous stacks at once.
- Name: Rstrode
- Targeted release: Fedora 11
- Last updated: Feb 20, 2009
- Percentage of completion: 65%
Improve the GDM Login screen such that works better with multiple simultaneous authentication stacks. This will be accomplished by added a plugin framework to the GDM greeter that has APIs for plugins to instigate independent PAM conversations at the same time. Each plugin will be responsible for shipping it's own PAM service file and UI for driving the PAM conversation associated with that service file. Each plugin will also have the ability to affect the behavior of the login screen in response to external events (e.g., a smart card plugin might tell the login screen to start the PAM smart card authentication stack in response to a smart card getting inserted into the system).
Benefit to Fedora
GDM currently only supports running one PAM conversation at a time. This means if we want to support say Fingerprint OR username/password authentication, then we have to ship a PAM service file that has a specially crafted set of PAM stacks designed to run the fingerprint and username/password authentation modules in the right order. When there are just two modules working together it's not a huge problem, but if you want 3 possible methods of logging into the system (say username/password, fingerprint, AND smartcard) then the logic neccessary to achieve that in one PAM service file becomes difficult.
By running, e.g., the "smartcard" conversation indendently from the "password" conversation, we side step a lot of messy logic and module interaction issues.
Also, by having a plugin system specific to the GDM greeter, we can have UI that's less generic and more suited to the PAM conversations actually getting run.
Requires implementing the above mentioned features, discussing how this change will affect other parts of the system (e.g. authconfig) with the relevant parties, and documenting the feature.
Right now authconfig writes out a PAM service file system-auth that most other PAM services in the system "include". This service file does it's best to tie to together the configured authentication mechanisms for the system into one pam conversation. With the new GDM we have multiple conversations broken out, so system-auth isn't suitable anymore. Some of the stuff in system-auth we do need to carry over to the username/password conversation (for instance, ldap integration, kerberos integration, etc), and other bits we explicitly can't carry over (fingerprint, smartcard, etc). I need to talk to Tomas Mraz to figure out the best way to reconcile this. It may mean having authconfig write out an additional stack in addition to system-auth.
- Configure the system to have multiple ways of authenticating
- Ensure that all ways work.
- Play around with authconfig and make sure things continue to work
- A lot of users of the update version of GDM won't notice any change at all.
- Users who wish to use their laptop's fingerprint readers or company mandated smartcards will notice a slicker experience.
- Shipping with the in-progress multi-stack patch but with only one stack enabled, or shipping without the patch and keeping the current behavior.