After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 788851 - provide way to extend GDM to show lists of options
provide way to extend GDM to show lists of options
Status: RESOLVED FIXED
Product: gdm
Classification: Core
Component: general
unspecified
Other All
: Normal normal
: ---
Assigned To: GDM maintainers
GDM maintainers
Depends on:
Blocks:
 
 
Reported: 2017-10-11 20:40 UTC by Ray Strode [halfline]
Modified: 2017-10-20 18:16 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
session-worker: rename response_text to response (7.76 KB, patch)
2017-10-11 20:40 UTC, Ray Strode [halfline]
none Details | Review
daemon: introduce pam extension mechanism (67.58 KB, patch)
2017-10-11 20:40 UTC, Ray Strode [halfline]
none Details | Review
daemon: add ChoiceList PAM extension (33.52 KB, patch)
2017-10-11 20:40 UTC, Ray Strode [halfline]
none Details | Review
libgdm: add api for getting at ChoiceList interface (29.69 KB, patch)
2017-10-11 20:40 UTC, Ray Strode [halfline]
none Details | Review
pam: add little test module for new pam extensions (6.15 KB, patch)
2017-10-11 20:40 UTC, Ray Strode [halfline]
none Details | Review
session-worker: rename response_text to response (7.76 KB, patch)
2017-10-20 18:14 UTC, Ray Strode [halfline]
committed Details | Review
session: add new Initialize method (28.09 KB, patch)
2017-10-20 18:14 UTC, Ray Strode [halfline]
committed Details | Review
daemon: introduce pam extension mechanism (62.16 KB, patch)
2017-10-20 18:14 UTC, Ray Strode [halfline]
committed Details | Review
daemon: add ChoiceList PAM extension (32.19 KB, patch)
2017-10-20 18:14 UTC, Ray Strode [halfline]
committed Details | Review
libgdm: add api for getting at ChoiceList interface (29.80 KB, patch)
2017-10-20 18:14 UTC, Ray Strode [halfline]
committed Details | Review

Description Ray Strode [halfline] 2017-10-11 20:40:11 UTC
For RHEL we're going to need to way to present the user with a list of options,
but PAM currently lacks a mechanism for doing that.

This patchset kind of shoehorns and extension mechanism into PAM and leverages
it for adding the necessary feature.

I don't want to push it upstream yet, until I'm sure it will meet the needs
of RHEL, but I'm posting a draft now.
Comment 1 Ray Strode [halfline] 2017-10-11 20:40:30 UTC
Created attachment 361375 [details] [review]
session-worker: rename response_text to response

Right now we always give text responses back to pam modules,
so the response variable is named response_text.  That's going
to change in the future, when we introduce private protocol for
the module to talk to GDM.

As prep work for that change, rename "response_text" to "response".
Comment 2 Ray Strode [halfline] 2017-10-11 20:40:34 UTC
Created attachment 361376 [details] [review]
daemon: introduce pam extension mechanism

This abuses PAM_BINARY_PROMPT for our own nefarious purposes.
The way it works is GDM advertises what "extensions" it supports
with the environment variable, GDM_SUPPORTED_PAM_EXTENSIONS (a space
separated list of reverse dns notation names). PAM services that
support this protocol, will read the environment variable, and
check for extension strings they support. They then know that sending
PAM_BINARY_PROMPT won't blow up, and know what format to use for the
binary data.  The type field of the structure is the index of the
string from the environment variable.

This commit is just foundation work. It doesn't actually add any
extensions.
Comment 3 Ray Strode [halfline] 2017-10-11 20:40:39 UTC
Created attachment 361377 [details] [review]
daemon: add ChoiceList PAM extension

This commit adds one PAM extension, a "Choice List" using the
new PAM_BINARY_PROMPT protocol added in the previous commit.  The
PAM module sends a list of (key, row text) pairs, and GDM ferries
the request to gnome-shell using a new user verifier sub-interface.

gnome-shell should present the list to the user and pass back the
corresponding key, which GDM ferries back to the PAM module.

Note this commit is only the daemon side. A subsequent commit will
add the libgdm API needed for gnome-shell to actually deal with
this new PAM extension.
Comment 4 Ray Strode [halfline] 2017-10-11 20:40:44 UTC
Created attachment 361378 [details] [review]
libgdm: add api for getting at ChoiceList interface

This provides gnome-shell with a way to use the new interface.
Comment 5 Ray Strode [halfline] 2017-10-11 20:40:48 UTC
Created attachment 361379 [details] [review]
pam: add little test module for new pam extensions

This commit just adds a test module for the new pam
interface (mainly for documentation purposes)
Comment 6 Ray Strode [halfline] 2017-10-11 21:01:52 UTC
this could also be used for bringing back the gdm pin support from years of yore.
Comment 7 Ray Strode [halfline] 2017-10-11 21:46:01 UTC
actually, i have another version of this I need to upload, this is an earlier cut than I thought it was I think.
Comment 8 Ray Strode [halfline] 2017-10-20 18:14:26 UTC
Created attachment 361973 [details] [review]
session-worker: rename response_text to response

Right now we always give text responses back to pam modules,
so the response variable is named response_text.  That's going
to change in the future, when we introduce private protocol for
the module to talk to GDM.

As prep work for that change, rename "response_text" to "response".
Comment 9 Ray Strode [halfline] 2017-10-20 18:14:30 UTC
Created attachment 361974 [details] [review]
session: add new Initialize method

Right now the worker interface has three methods for starting
a conversation: Setup, SetupForUser, SetupForProgram

Each of these method calls take a large number of overlapping arguments.
Extending these argument lists is painful and breaks upgrades.

This commit adds a new, fourth call, Initialize, which supercedes the
others and just takes a vardict, which is much more extensible.
Comment 10 Ray Strode [halfline] 2017-10-20 18:14:34 UTC
Created attachment 361975 [details] [review]
daemon: introduce pam extension mechanism

This abuses PAM_BINARY_PROMPT for our own nefarious purposes.
The way it works is GDM advertises what "extensions" it supports
with the environment variable, GDM_SUPPORTED_PAM_EXTENSIONS (a space
separated list of reverse dns notation names). PAM services that
support this protocol, will read the environment variable, and
check for extension strings they support. They then know that sending
PAM_BINARY_PROMPT won't blow up, and know what format to use for the
binary data.  The type field of the structure is the index of the
string from the environment variable.

This commit is just foundation work. It doesn't actually add any
extensions.
Comment 11 Ray Strode [halfline] 2017-10-20 18:14:37 UTC
Created attachment 361976 [details] [review]
daemon: add ChoiceList PAM extension

This commit adds one PAM extension, a "Choice List" using the
new PAM_BINARY_PROMPT protocol added in the previous commit.  The
PAM module sends a list of (key, row text) pairs, and GDM ferries
the request to gnome-shell using a new user verifier sub-interface.

gnome-shell should present the list to the user and pass back the
corresponding key, which GDM ferries back to the PAM module.

Note this commit is only the daemon side. A subsequent commit will
add the libgdm API needed for gnome-shell to actually deal with
this new PAM extension.
Comment 12 Ray Strode [halfline] 2017-10-20 18:14:41 UTC
Created attachment 361977 [details] [review]
libgdm: add api for getting at ChoiceList interface

This provides gnome-shell with a way to use the new interface.
Comment 13 Ray Strode [halfline] 2017-10-20 18:16:14 UTC
Attachment 361973 [details] pushed as 932dd92 - session-worker: rename response_text to response
Attachment 361974 [details] pushed as 5683e5d - session: add new Initialize method
Attachment 361975 [details] pushed as d5280a3 - daemon: introduce pam extension mechanism
Attachment 361976 [details] pushed as d39ed7b - daemon: add ChoiceList PAM extension
Attachment 361977 [details] pushed as 4e409d6 - libgdm: add api for getting at ChoiceList interface