-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On October 17, [EMAIL PROTECTED] said:
> I'm currently not sure if changing vlock is the right approach - or if
> it is a misfeature in the pam module.
i agree with you that there may be problems in the pam module as well,
and it would be better if libpam-opensc could interleave conversations.
> For instance, how does the pam module react when used with xlock? Does
> it lock the smartcard then as well? If not, why not?
xlockmore [0], away, and xscreensaver all wait for a wakeup event to
trigger the PAM conversation, rather than initiating the PAM
conversation immediately at lock the way that vlock does.
away's wakeup event is just the user hitting enter (similar to my
patch here), at which point a standard PAM conversation begins.
xlockmore and xscreensaver appear to delay initiating the PAM
conversation until the user has already entered a password, despite
the fact that this seems to contradict the PAM spec. i don't know how
these X11 tools would handle a multi-prompt PAM conversation.
i think aligning a PAM session temporally with a user's actual attempt
to authenticate is probably a reasonable goal in general, regardless
of exclusive-access PAM modules: consider a PAM module (or stack?)
that wants to fail an authentication attempt based on the user taking
too long to reply. If the lock event in vlock is what starts the PAM
session, the first auth attempt is pretty much guaranteed to timeout,
instead of succeeding or failing based on the duration of the user's
actual conversation.
> PS: Thanks for your egate on debian HOWTO
yer welcome! i hope it was useful.
--dkg
[0] Note: i don't use xlock because it crashes with libpam-opensc:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=318123
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8+ <http://mailcrypt.sourceforge.net/>
iD8DBQFDVA6PiXTlFKVLY2URAiGvAJwI/otfnqaTeBUQM5CeUooFYe2SYwCgnXN4
yLU8EfKkbn/b7kSN+eM0uOU=
=RZmC
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
