LightDM - Feb 2014 - [PATCHES] Multiple prompts in a single PAM conversation round

Hi,

when using pam_krb5, I've run into the following problem w.r.t to lightdm:

If a user's password is set to expire, i.e. the user needs to change it
the first time they log in again, pam_krb5 will ask for the new password
and the repeated version of the new password during the authentication
phase (before authentication is complete). For this it uses two prompts
in the same PAM conversation round. This is in principle handled
properly in LightDM on the server side, but neither the GTK nor the KDE
greeter implement this properly. (I haven't tried any other, but I
suspect they suffer from the same problem.)

The first patch modifies liblightdm-gobject and liblightdm-qt to provide
an additional signal that allows the greeter to know that all
prompt/message signals for the specific conversation round have been
processed. The second patch modifies lightdm-gtk-greeter to make use of
it (while still allowing it to be compiled and/or run against older
versions of liblightdm-gobject). I plan on looking at the KDE greeter
next, the GTK one was just the simplest one to patch in this context.

Regards,
Christian

PS: I'm not subscribed to the mailing list, so please put me on Cc for
replies.

PPS: Since this is my first time doing something with bzr (I mainly use
git and have dabbled in mercurial), I'm sorry if I don't know the proper
etiquette for providing patches. For now I have attached the output
generated by bzr send -o (I recon this is similar to git format-patch?)
to this email, but if you prefer a different style (inline, as
attachments in the bugtracker, ...), please let me know.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lightdm-show-round-complete.patch
Type: text/x-patch
Size: 11210 bytes
Desc: not available
URL:
<http://lists.freedesktop.org/archives/lightdm/attachments/20140205/99a1c9bc/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lightdm-gtk-greeter-multiprompt.patch
Type: text/x-patch
Size: 13789 bytes
Desc: not available
URL:
<http://lists.freedesktop.org/archives/lightdm/attachments/20140205/99a1c9bc/attachment-0003.bin>

Hi Christian,

Thanks for the patches.

Unity Greeter [1] does handle this case but I suspect you're correct in the
other greeters not.

The correct way to propose changes to LightDM is to make a branch on
Launchpad and propose it for merging. In this case you should do the
following from your local branch:
$ bzr push lp:~yourlpusername/lightdm/yourbranchname
Go to https://code.launchpad.net/~yourlpusername/lightdm/yourbranchname and
click "Propose for merging".
The code can then easily be reviewed, compiled for errors by the CI system
and then landed into trunk.

I don't maintain the GTK+ greeter but you can use the same process there.

For the KDE greeter it depends if you are changing the example Qt greeter
[1] (which is unmaintained I think?) which is in Launchpad or the KDE
greeter which is maintained in the KDE repositories.

Thanks,
--Robert

[1] https://launchpad.net/unity-greeter
[2] https://launchpad.net/lightdm-qt-greeter


On 5 February 2014 16:29, Christian Seiler <christian at iwakd.de> wrote:
> Hi,
>
> when using pam_krb5, I've run into the following problem w.r.t to
lightdm:
>
> If a user's password is set to expire, i.e. the user needs to change it
> the first time they log in again, pam_krb5 will ask for the new password
> and the repeated version of the new password during the authentication
> phase (before authentication is complete). For this it uses two prompts
> in the same PAM conversation round. This is in principle handled
> properly in LightDM on the server side, but neither the GTK nor the KDE
> greeter implement this properly. (I haven't tried any other, but I
> suspect they suffer from the same problem.)
>
> The first patch modifies liblightdm-gobject and liblightdm-qt to provide
> an additional signal that allows the greeter to know that all
> prompt/message signals for the specific conversation round have been
> processed. The second patch modifies lightdm-gtk-greeter to make use of
> it (while still allowing it to be compiled and/or run against older
> versions of liblightdm-gobject). I plan on looking at the KDE greeter
> next, the GTK one was just the simplest one to patch in this context.
>
> Regards,
> Christian
>
> PS: I'm not subscribed to the mailing list, so please put me on Cc for
> replies.
>
> PPS: Since this is my first time doing something with bzr (I mainly use
> git and have dabbled in mercurial), I'm sorry if I don't know the
proper
> etiquette for providing patches. For now I have attached the output
> generated by bzr send -o (I recon this is similar to git format-patch?)
> to this email, but if you prefer a different style (inline, as
> attachments in the bugtracker, ...), please let me know.
>
> _______________________________________________
> LightDM mailing list
> LightDM at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/lightdm
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.freedesktop.org/archives/lightdm/attachments/20140205/fe3ad1c7/attachment.html>

A quick review:

You shouldn't strictly need the signal to handle multiple prompts - you
just append a new prompt each time liblightdm-gobject generates a signal
and remove them all when you have responded to all the prompts. (This is
what Unity Greeter does). A group of prompts is guaranteed to be signalled
in a row in the same thread.

It doesn't seem like a bad idea to add the signal for "end of
prompts"
though if that helps greeters to implement multiple prompts. Ideally we
wouldn't need it and the API would have been designed to handle multiple
prompts properly - that was a design mistake I made early on*. If you do
use the signal note that the greeters will need to depend on the latest
lightdm - this may delay distribution.

*And a good case for fixing with an API break in the future.

--Robert


On 5 February 2014 16:29, Christian Seiler <christian at iwakd.de> wrote:
> Hi,
>
> when using pam_krb5, I've run into the following problem w.r.t to
lightdm:
>
> If a user's password is set to expire, i.e. the user needs to change it
> the first time they log in again, pam_krb5 will ask for the new password
> and the repeated version of the new password during the authentication
> phase (before authentication is complete). For this it uses two prompts
> in the same PAM conversation round. This is in principle handled
> properly in LightDM on the server side, but neither the GTK nor the KDE
> greeter implement this properly. (I haven't tried any other, but I
> suspect they suffer from the same problem.)
>
> The first patch modifies liblightdm-gobject and liblightdm-qt to provide
> an additional signal that allows the greeter to know that all
> prompt/message signals for the specific conversation round have been
> processed. The second patch modifies lightdm-gtk-greeter to make use of
> it (while still allowing it to be compiled and/or run against older
> versions of liblightdm-gobject). I plan on looking at the KDE greeter
> next, the GTK one was just the simplest one to patch in this context.
>
> Regards,
> Christian
>
> PS: I'm not subscribed to the mailing list, so please put me on Cc for
> replies.
>
> PPS: Since this is my first time doing something with bzr (I mainly use
> git and have dabbled in mercurial), I'm sorry if I don't know the
proper
> etiquette for providing patches. For now I have attached the output
> generated by bzr send -o (I recon this is similar to git format-patch?)
> to this email, but if you prefer a different style (inline, as
> attachments in the bugtracker, ...), please let me know.
>
> _______________________________________________
> LightDM mailing list
> LightDM at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/lightdm
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.freedesktop.org/archives/lightdm/attachments/20140205/ba17ca60/attachment.html>