Bug 182623

Summary:	kdm doesn't obey PAM Application Developers Guide
Product:	kdm	Reporter:	Wolfgang Ullrich <w.ullrich>
Component:	general	Assignee:	kdm bugs tracker <kdm-bugs-null>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	marc.collin, mstl
Priority:	NOR
Version:	unspecified
Target Milestone:	---
Platform:	Ubuntu
OS:	Linux
Latest Commit:		Version Fixed In:

Description Wolfgang Ullrich 2009-01-31 20:29:27 UTC

Version:            (using KDE 4.1.3)
OS:                Linux
Installed from:    Ubuntu Packages

While user login kdm calls "pam_authenticate" _after_ prompting the user for name and/or password which contradicts the recommendation of the documentation (PAM ADG). It reads in chapter 2: "It is important to note that the application must leave all decisions about when to prompt the user at the discretion of the PAM library."

The current implemetation of kdm first prompts the user for his name and in some cases for his password and then it calls "pam_authenticate". This makes it impossible to use alternate authentication methods like smart cards or biometric processes to identify and/or authenticate a user.

The correct behavior would be to first call pam_authenticate and then await a callback from PAM's "conversation function" in case a "normal" authentication by keyboard is configured. That would make e.g. fingerprint login by PAM modules like "Fingerprint GUI" make possible in the same way they work with gdm.

Comment 1 Wolfgang Ullrich 2009-01-31 20:38:18 UTC

The same behavior has been seen from kscreensaver.

Comment 2 Oswald Buddenhagen 2009-02-02 20:17:46 UTC

doesn't look like it at first sight, but it *is* the same ...

*** This bug has been marked as a duplicate of bug 105631 ***

Comment 3 Dan Gherman 2010-07-26 19:12:40 UTC

*** This bug has been confirmed by popular vote. ***

Comment 4 Marc Collin 2013-05-19 10:49:54 UTC

i confirm it

Comment 5 mstl 2014-01-17 11:49:07 UTC

Please fix that problem. We are waiting for a long time now. If I can help -> let me know!

tx in advance!