Next CK release?

William Jon McCann mccann at jhu.edu
Wed Apr 4 09:40:26 PDT 2007


On 4/3/07, Michael Biebl <mbiebl at gmail.com> wrote:
> 2007/4/3, Michael Biebl <mbiebl at gmail.com>:
> > > > It seems, as if I get an empty s string instead of NULL.
> > >
> > > Ah, OK.  Good catch.  I've added a check for empty string now.  Should
> > > be fixed in git.
> >
> > I can confirm that it works now.
> >
>
> Found one more issue:
> I know that graphical login managers should talk to CK directly, but
> kdm (and gdm < 2.18) still lack CK support. So I tried to use the pam
> module in /etc/pam.d/(k,g)dm.
>
> This looks something like this as a result:
> Session3:
>         uid = '1000'
>         realname = 'Michael Biebl'
>         seat = 'Seat3'
>         session-type = ''
>         active = FALSE
>         x11-display = ':0'
>         x11-display-device = ''
>         display-device = ''
>         remote-host-name = ''
>         is-local = TRUE
>         on-since = '2007-04-03T21:31:55Z'
>
> Note, that display-device is empty and the session is marked
> non-active (although I'm typing this message from within this session
> right now).

This is a known problem and I'm not sure there is a really good
solution unfortunately.  I've just added support to the PAM module for
a CKCON_X11_DISPLAY_DEVICE pam environment variable so that may help.
But it would still require changes to the DM - and you're better off
just using CK directly.

So, this illustrates some more problems with this PAM based approach:
  * we can't use OpenSession() to automatically collect all the
session info because in most cases the PAM interaction isn't done in
the session process but in a parent.
  * we can't just try to verify the parameters sent to us by
OpenSessionWithParameters() because we don't even know if the
parameters are valid yet or for what process they should be checked
against.
 * we can't try to fill in missing parameters because of the above
reason and we shouldn't assume that the parameters weren't left out
intentionally.

The session process or X11 display may exist or be available at the
time of the PAM interaction.  An example of this today can be found in
openssh sessions.  A hypothetical one is what if the GDM greeter
process on DISPLAY :0 asks the slave process to authenticated a user
and create a new session with the intention of starting the session
DISPLAY on :20.  In this case not only does PAM get the wrong
information about both TTY and DISPLAY we can't try to determine
anything about the server until it is created.  You might be able to
get around this my calling pam_set_item again for the TTY and
deferring pam_open_session.  However, that isn't the way pam is
typically used - for a couple of reasons including the fact that you
really need to use threads to handle a PAM stack in an event driven
program.

Jon


More information about the hal mailing list