GNOME Bugzilla – Bug 658451
gnome-shell-based greeter session can't work with --disable-split-authentication
Last modified: 2011-10-07 14:02:13 UTC
The gnome-shell-based greeter session is using the gdm-password PAM service, but if gdm is built with --disable-split-authentication, this gdm-password service is not installed. I'm not sure what's best here; either the gnome-shell stuff should look if gdm-password does exist, or maybe we can really simply drop --disable-split-authentication? Unfortunately, the split authentication stuff needs work at the the distro level (I know I can't push it in openSUSE right now as it needs discussion about the pam configuration)
FWIW, in the meantime, in openSUSE, I'm just linking /etc/pam.d/gdm-password to /etc/pam.d/gdm
i guess if we build with --disable-split-authentication we should force the session to gdm-fallback. what do you think?
Isn't the issue here really that when you use split authentication it changes the PAM service names it uses? It is kind of ugly to make GDM use different PAM service names based on what version of GDM you are using. This is bound to mess up how sysadmins may have configured PAM. Really, the PAM service name used by GDM should be configurable. Ideally it should be configurable in a per-display manner. This way if a user wants to setup one display with a card reader and another with a fingerprint reader on a second display, you could just configure this with PAM. So, it might be possible to fix this bug by just adding an interface so that GDM acquires the PAM service name via something like a per-display Init/PreSession/PostSession script. Then it should be easy to configure the gnome-shell based greeter session to use the right service name when --disable-split-authentication is used, or in other situations where the sysadmin may want to use a specific PAM stack.
no, they're different service names because they serve different functions. They aren't strictly interchangeable and making the name configurable doesn't make sense since we ship them with GDM.
Ray: it looks to me that the gnome-shell greeter can work fine without the split authentication. This probably means that we can't support the "swipe finger" patch that is going to land soon, though. Would it be acceptable to have a gdm_greeter_use_split_authentication() API in libgdmgreeter, so that greeter implementations would know what to do? In the case of gnome-shell, that would mostly be "use gdm PAM service, and do not start the fingerprint stuff".
Well, my hope was just to have --disable-split-authentication as a short term transitional thing to make life a little easier for distributions. I was hoping to phase it out with the new greeter and drop it in 3.4 or so. I can understand your viewpoint though. You want the new greeter and things aren't there yet on the distro side to add split authentication support. I don't want to leave you high and dry. Hmm. Maybe rather than codifying it in the API we could do a short term hack, like automatically alias gdm-password to gdm in the daemon or library code #ifndef SPLIT_AUTHENTICATION. Then again, if we add the api we can always drop it later I guess since there aren't any api stability guarantees here...
Okay, I've added some compatability name translation to the greeter server.
Created attachment 197006 [details] [review] daemon: add better unified authentication compatibility The daemon and fallback greeter support --disable-split-authentication, but the new shiny greeter doesn't. This posed a problem for distributions that want to use the new shiny greeter (in an albeit degraded mode) but don't yet have support at the system level for split authentication. This commit adds a small amount of goo to make the split authentication pam service names translate to the unified pam service name and thus give the shell greeter a level of compatibility with --disable-split-authentication.
Ray, I had to revert this patch in openSUSE as now there's no password entry appearing. I'll look for more details as to why this happens tomorrow.
Okay, i'll investigate as well.
Created attachment 197491 [details] [review] daemon: fix the legacy auth compatibility layer In commit f91f017071ffa5f5999e6c2e2c0929e290482932 I introduced a translation layer that keeps compatibility for distros who build with --disable-split-authentication. The commit was somewhat faulty, though. I made some last minute clean ups to the patch before committing that I didn't fully test. Those cleanups resulted in the pam service name getting improperly translated and broke the compatibility layer the commit introduced.
if you want me to freeze break for this let me know and i'll try to push it through.
Were you ever able to give this patch a try Vincent ?
(In reply to comment #13) > Were you ever able to give this patch a try Vincent ? Yes, and it works. See https://mail.gnome.org/archives/release-team/2011-September/msg00382.html :-)
hah, i guess i need to be better about following threads that I start.
Attachment 197491 [details] pushed as 1d7f466 - daemon: fix the legacy auth compatibility layer
Doh, I apparently only tested the fix with the gnome-shell greeter, not with the old greeter. There I found another issue. Will attach a patch. Sorry for that.
Created attachment 198520 [details] [review] daemon: additional fix for legacy auth compatibility layer g_str_has_prefix() was misused.
Comment on attachment 198520 [details] [review] daemon: additional fix for legacy auth compatibility layer gah, I suck. thanks.