2

I am trying to add a GTK window in PAM module. It works from my test pam app but doesn't work during desktop login or unlock. I see another unanswered question here - https://stackoverflow.com/questions/59011871/gtk-pam-module-not-showing-on-login

Wondering whether this is possible? If not then what is the approach to integrate / customize the login UI (gnome-screensaver, gdm-password) and let my PAM do the authentication.

pp99
  • 51
  • 3

1 Answers1

0

It’s not appropriate for a PAM module to be attempting to talk to the X server. If you are using the PAM module in a login session, the user’s X11 session isn’t even initialized until after the session starts, so there would be no X11 server to talk to anyway. The PAM module won’t know the $DISPLAY nor have access to X cookies. Those are set by the display manager after the session has started.

You’d be better off having gdm or some other display manager execute processes after the user logs in. If it needs to display something during login, it’s up to you to modify gdm to support that.

That isn’t to say this isn’t an impossible task. You could have a module use dbus to talk to a service that launches in the context of the gdm greeter, for example.

jsbillings
  • 24,006
  • 6
  • 56
  • 58
  • Can you expand upon what does make PAM modules special that this is not possible with GTK? As far as I am concerned, this is handled by the display manager, which is running as root. As root, after specifying the DISPLAY and merging xauth, I can totally execute arbitrary GUI applications on top of the greeter login. I would expect a PAM module to be able to initialize GTK, block while the main loop is running and finally let the authentication process continue. The rest of the UI would lock up, the whole process very whacky, unreliable and error-prone, but it seems not impossible to me. – Hermann May 27 '20 at 21:38
  • 1
    It’s not that it’s impossible, just extremely fragile. You’d be better off stealing gdm’s display and xauth tokens rather than the user’s. There is no guarantee that they’ll always be the same. – jsbillings May 27 '20 at 22:16
  • Thanks for your answer and comments. It gives me some keywords to work on. I come from Windows background which has credential providers (starting from Vista) to customize the UI and authentication methods. I understand the architecture in Linux is different. I see the PAM provides a mechanism to plugin your own authentication method. I was trying to find a framework where I can plugin my own GUI. For example a GUI that goes with - fingerprint or smart card authentication methods. Some thing like how the OS has its own little smart card icon like shown here [link]( https://ibb.co/CnYxNTS). – pp99 May 28 '20 at 02:48
  • @pp99 yeah, PAM isn’t where you want to plug in your GUI. Honestly, look at how fprintd works. It’ll give you an idea how to interact with the OS – jsbillings May 28 '20 at 12:04