Brian Cameron wrote: > > Darren and Gary: > >>> On some Linux systems, the pam_ck_connector is used to ensure that >>> non-graphical logins (e.g. telnet, ssh, etc.) are registered with >>> ConsoleKit. Thus ConsoleKit can be used as a utmp/wtmp replacement >>> since it stores a superset of the information as in the utmp/wtmp >>> database. However, this is not an appropriate use of PAM and there are >>> no plans to support this feature on Solaris since there is no >>> immediate need to replace utmp/wtmp at this point in time. Instead, >>> GDM will make use of ConsoleKit to manage its displays. >> >> I don't understand why you think this isn't appropriate use of PAM. > > I discussed this with Gary Winiger several months ago and he seemed > insistent that this was an inappropriate use of PAM. He said that if > we wanted programs to integrate with ConsoleKit, they should integrate > directly (as GDM does), and not use a PAM module for this purpose. If > my understanding of Gary's concerns are correct, he seemed to feel that > PAM was to be used for authorization purposes, and not to keep random > databases up to date.
I disagree with that assesment. The module is implementing session semantics and is doing so correctly in pam_sm_open_session and pam_sm_close_session. This is exactly what these PAM functions were designed for and we should be using them for utmpx. The ConsoleKit logging appears to be an alternate utmp. > I've cc:ed Gary. Hopefully he can elaborate his views on this. Unless > I am confused it seems that you and he have different perspectives on > this. Well we are different people and we don't agree on everything. Remember I said we should ship the module, I didn't say we should have it in the default configuration. Not shipping the module means people that really want to use it can't do so without building ConsoleKit themselves. The beauty of PAM (and the old reason it was invented by Sun) was so that we can give admins that choice. I very strongly believe (having actually read the source code of the pam_ck_connector) we should be shipping the module. -- Darren J Moffat
