arijo
2013-Jul-27 11:09 UTC
[LightDM] Perform non-interactive login using provided uses credentials
Hi list, I would like to discuss the possibility of performing a login in a non-interactive way using full user credentials as if they were input into the greeter dialog. Our current setups occasionally allows us to know about user identity and credentials as soon as initramfs, so it is somewhat unnecessary to ask the user to input them again. I would like to avoid using the auto-login feature as is, because it prevents the unlocking of encrypted homes, keyrings and such. I am a bit unsure how to tell lightdm about existing credentials (I'm pretty sure it is impossible using the current code base), so I would appreciate any input from experienced developers on how to address this before I start hacking on the code. -- Arijo
Andre Klärner
2013-Jul-28 22:15 UTC
[LightDM] Perform non-interactive login using provided uses credentials
On Sat 27.07.2013 11:09:52, arijo wrote:> I would like to discuss the possibility of performing a login in a > non-interactive way using full user credentials as if they were > input into the greeter dialog.My foolish attempt would be to build a greeter that runs the given credentials and if they didn't work proxy out to a regular greeter. But what are the exact requirements for the encrypted filesystems? I guess they need exactly the cleartext password to hash it themself to the actual encryption key, but do you have what you need present in your boot environment? Btw: what are you doing so that the user info is already present so early? Regards, Andre -- Andre Kl?rner -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4043 bytes Desc: not available URL: <http://lists.freedesktop.org/archives/lightdm/attachments/20130729/b2efb44c/attachment.bin>
Robert Ancell
2013-Aug-22 09:37 UTC
[LightDM] Perform non-interactive login using provided uses credentials
Hi Arjio, Probably the most reliable way of doing this is to write a PAM module that gets the credentials from initramfs and then set LightDM to autologin. If the module credentials weren't available your module can stop the PAM authentication and LightDM falls back to using a greeter. Another method is to write your own greeter that could get the credentials and feed them to the LightDM daemon as a user would, but that doesn't sound like a very secure system. --Robert On 27 July 2013 23:09, arijo <arijo at tormail.org> wrote:> Hi list, > > I would like to discuss the possibility of performing a login in a > non-interactive way using full user credentials as if they were input into > the greeter dialog. > Our current setups occasionally allows us to know about user identity and > credentials as soon as initramfs, so it is somewhat unnecessary to ask the > user to input them again. > I would like to avoid using the auto-login feature as is, because it > prevents the unlocking of encrypted homes, keyrings and such. I am a bit > unsure how to tell lightdm about existing credentials (I'm pretty sure it > is impossible using the current code base), so I would appreciate any input > from experienced developers on how to address this before I start hacking > on the code. > > -- > Arijo > ______________________________**_________________ > LightDM mailing list > LightDM at lists.freedesktop.org > http://lists.freedesktop.org/**mailman/listinfo/lightdm<http://lists.freedesktop.org/mailman/listinfo/lightdm> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.freedesktop.org/archives/lightdm/attachments/20130822/936ddb89/attachment.html>