kcheckpass auth methods

Adriaan de Groot groot at kde.org
Sat Feb 25 20:52:10 GMT 2017 

Hi Martin, thanks for bringing this up.

On Friday 24 February 2017 15:59:22 Martin Gräßlin wrote:
> I'm currently cleaning up the kcheckpass code (kscreenlocker repository)
> and are wondering what is still needed.
> 
> We currently have code for the following auth backends:
> * pam
> * OSF/1 C2 security extension

I can say fairly certainly that that's OSF, or Tru64 -- DEC Alpha UNIX stuff, 
from way way back. (Supporting my memory is, for instance, 
https://lists.samba.org/archive/samba-ntdom/1999-September.txt ) I expect it's 
fair to say that Tru64 is no longer a supported platform for KDE.

> I would like to know if any distribution (including BSDs) is using
> something different than PAM and if yes which one. For the linux
> distributions I would like to know whether we can enforce PAM at compile
> time in case we detect compilation on linux (I got too many bug reports
> about not being able to unlock due to the optional dependency, hello
> Gentoo users knowing how to set proper flags :-P ).

FreeBSD uses PAM. It also setuid's kcheckpass. I'm taking a look at what is 
actually needed there now (results later).

Looking at the cmake output on FreeBSD shows me, for instance:

-- Could NOT find loginctl (missing:  loginctl_EXECUTABLE)
-- Performing Test PAM_MESSAGE_CONST
-- Performing Test PAM_MESSAGE_CONST - Success
-- Found PAM: /usr/lib/libpam.so

That's correct: we don't have loginctl, we do have PAM (and we carry a patch 
to change the suggestion when the screen can't unlock to something that works 
on our systems). There's some consolekit stuff that works fine.

Further on I spotted:

 * PAM , PAM Libraries , <https://www.kernel.org/pub/linux/libs/pam/>
   Required for screen unlocking and optionally used by the KDM log in manager

Perhaps the mention of KDM can go away by now.

And furthermore:

 * loginctl , Send control commands to the login manager , 
<https://www.freedeskt
op.org/software/systemd/man/loginctl.html>
   Needed for emergency unlock in case that the greeter is broken. In case 
your distribution does not provide loginctl please contact plasma-
devel at kde.org to discuss alternatives.

Like I said above, we carry some patches to suggest something else and provide 
a helper script for consolekit.

[ade]

More information about the Distributions mailing list