RE: setting initial prompt of gdmlogin using PAM conversation fun ctio n

[Naomaru Itoi <nitoi activcard com>]

Thanks for your reply, George. 

Now I understand why it won't work with gdmgreet (and gdmlogin) as it is. 

I think there's a relatively simple solution, though.  

How about we add an option to gdmgreet (or gdmlogin?  or both?  which one is
used more?), let's say --no-username-prompt, which would make it call
pam_authenticate() with a NULL username and a NULL password, before putting
up a "Username:" prompt?

If we can do this, our PAM module can take over the control using
conversation function and put a whatever prompt we would like (e.g. "Please
insert smartcard or enter username").  

A good thing about this approach is that, unless "--no-username-prompt"
option is specified, gdmgreet works exactly as it does today.  So, there
should be no regression.  Also this is a quite simple modification. 

What do you think?  Would there be a chance it get in to the source tree if
we make this modification? 

Thank you. 

> -----Original Message-----
> From: George [mailto:jirka 5z com]
> Sent: Sunday, February 16, 2003 2:42 PM
> To: Naomaru Itoi
> Cc: 'gdm SunSITE dk'; Venkatrao Rapaka; Rama Kristipati
> Subject: Re: setting initial prompt of gdmlogin using PAM 
> conversation functio n
> 
> 
> On Fri, Feb 14, 2003 at 06:48:46PM -0800, Naomaru Itoi wrote:
> > Hi, 
> > 
> > Thank you for your great job as usual. 
> > 
> > We are writing a smartcard PAM module, and are trying to 
> set a prompt in GDM
> > Greeter (gdmlogin).  We want to prompt something like 
> "Please enter username
> > or insert smartcard" at the begining of the login process.  
> We are testing
> > this with gdmlogin.  
> > 
> > We can set a prompt using a conversation function all 
> right.  This is good.
> > (Thanks!)
> > 
> > However, gdmlogin always displays a prompt "Username" before calling
> > pam_sm_authenticate().  It is only after a user enters a 
> username and hits
> > Enter Key that pam_sm_authenticate() is called.  So our PAM 
> module doesn't
> > have a chance to override the initial message.  
> > 
> > Is there any way to work around it and display a different 
> message as the
> > initial message?
> 
> Not currently.  This requires some rework of how gdm works.  
> It would not be
> too hard actually and Sun seems to be interested in doing 
> this too.  The
> basic idea is to change gdm to not assume that we get a 
> username before pam.
> I'm busy working on my thesis (and related stuff) currently 
> so I don't really
> have time to work on this right now.  I'd really like this to 
> be done for
> gnome 2.4 however as it would bring gdm into full pam compliance.
> 
> The biggest problem is passwordless guest login that is 
> currently done in
> gdm.  I suppose we can somewhat scrap this feature and say 
> that it should be
> done in pam and not in gdm.
> 
> > I guess we can replace the greeter by changing gdm.conf.  
> But we would like
> > to limit our code to the PAM module, if possible.  
> 
> Of course, however currently gdm doesn't allow this.  In fact 
> even replacing
> the greeter won't help you here except only for changing the 
> initial prompt.
> I suppose you want the username to be read from the 
> smartcard, but currently
> the username reading is going outside of pam.
> 
> George
> 
> -- 
> George <jirka 5z com>
>    Let's not bicker and argue about who killed who.
>                        -- Monty Python
>