GNOME Bugzilla – Bug 788851
provide way to extend GDM to show lists of options
Last modified: 2017-10-20 18:16:30 UTC
For RHEL we're going to need to way to present the user with a list of options, but PAM currently lacks a mechanism for doing that. This patchset kind of shoehorns and extension mechanism into PAM and leverages it for adding the necessary feature. I don't want to push it upstream yet, until I'm sure it will meet the needs of RHEL, but I'm posting a draft now.
Created attachment 361375 [details] [review] session-worker: rename response_text to response Right now we always give text responses back to pam modules, so the response variable is named response_text. That's going to change in the future, when we introduce private protocol for the module to talk to GDM. As prep work for that change, rename "response_text" to "response".
Created attachment 361376 [details] [review] daemon: introduce pam extension mechanism This abuses PAM_BINARY_PROMPT for our own nefarious purposes. The way it works is GDM advertises what "extensions" it supports with the environment variable, GDM_SUPPORTED_PAM_EXTENSIONS (a space separated list of reverse dns notation names). PAM services that support this protocol, will read the environment variable, and check for extension strings they support. They then know that sending PAM_BINARY_PROMPT won't blow up, and know what format to use for the binary data. The type field of the structure is the index of the string from the environment variable. This commit is just foundation work. It doesn't actually add any extensions.
Created attachment 361377 [details] [review] daemon: add ChoiceList PAM extension This commit adds one PAM extension, a "Choice List" using the new PAM_BINARY_PROMPT protocol added in the previous commit. The PAM module sends a list of (key, row text) pairs, and GDM ferries the request to gnome-shell using a new user verifier sub-interface. gnome-shell should present the list to the user and pass back the corresponding key, which GDM ferries back to the PAM module. Note this commit is only the daemon side. A subsequent commit will add the libgdm API needed for gnome-shell to actually deal with this new PAM extension.
Created attachment 361378 [details] [review] libgdm: add api for getting at ChoiceList interface This provides gnome-shell with a way to use the new interface.
Created attachment 361379 [details] [review] pam: add little test module for new pam extensions This commit just adds a test module for the new pam interface (mainly for documentation purposes)
this could also be used for bringing back the gdm pin support from years of yore.
actually, i have another version of this I need to upload, this is an earlier cut than I thought it was I think.
Created attachment 361973 [details] [review] session-worker: rename response_text to response Right now we always give text responses back to pam modules, so the response variable is named response_text. That's going to change in the future, when we introduce private protocol for the module to talk to GDM. As prep work for that change, rename "response_text" to "response".
Created attachment 361974 [details] [review] session: add new Initialize method Right now the worker interface has three methods for starting a conversation: Setup, SetupForUser, SetupForProgram Each of these method calls take a large number of overlapping arguments. Extending these argument lists is painful and breaks upgrades. This commit adds a new, fourth call, Initialize, which supercedes the others and just takes a vardict, which is much more extensible.
Created attachment 361975 [details] [review] daemon: introduce pam extension mechanism This abuses PAM_BINARY_PROMPT for our own nefarious purposes. The way it works is GDM advertises what "extensions" it supports with the environment variable, GDM_SUPPORTED_PAM_EXTENSIONS (a space separated list of reverse dns notation names). PAM services that support this protocol, will read the environment variable, and check for extension strings they support. They then know that sending PAM_BINARY_PROMPT won't blow up, and know what format to use for the binary data. The type field of the structure is the index of the string from the environment variable. This commit is just foundation work. It doesn't actually add any extensions.
Created attachment 361976 [details] [review] daemon: add ChoiceList PAM extension This commit adds one PAM extension, a "Choice List" using the new PAM_BINARY_PROMPT protocol added in the previous commit. The PAM module sends a list of (key, row text) pairs, and GDM ferries the request to gnome-shell using a new user verifier sub-interface. gnome-shell should present the list to the user and pass back the corresponding key, which GDM ferries back to the PAM module. Note this commit is only the daemon side. A subsequent commit will add the libgdm API needed for gnome-shell to actually deal with this new PAM extension.
Created attachment 361977 [details] [review] libgdm: add api for getting at ChoiceList interface This provides gnome-shell with a way to use the new interface.
Attachment 361973 [details] pushed as 932dd92 - session-worker: rename response_text to response Attachment 361974 [details] pushed as 5683e5d - session: add new Initialize method Attachment 361975 [details] pushed as d5280a3 - daemon: introduce pam extension mechanism Attachment 361976 [details] pushed as d39ed7b - daemon: add ChoiceList PAM extension Attachment 361977 [details] pushed as 4e409d6 - libgdm: add api for getting at ChoiceList interface