Passwordless-GDM: enable authentication method selection and EIdP login #9
Conversation
ikerexxe
force-pushed
the
gdm_eidp
branch
6 times, most recently
from
63bebaa to
42c4e62
Compare
ikerexxe
force-pushed
the
gdm_eidp
branch
4 times, most recently
from
59bab73 to
253a7cf
Compare
|
Remember to set in sssd.conf in order to test this properly. |
|
@justin-stephenson and @sumit-bose this is the PR for passwordless-GDM integration |
|
Hi, thanks for the patch, after realizing that Fedora 40 already has some newer package version than your test repo everything was working fine in my tests. I also rebased the patches on top of current master to see if the change in krb5_child about handling multiple authentication methods will cause issues, but currently they don't. The comments I added can be handled when moving forward adding more methods. bye, |
This API gets the selected response type data from the response_data linked list. Includes unit tests. Signed-off-by: Iker Pedrosa <[email protected]> Signed-off-by: Ray Strode <[email protected]>
Integration with GDM requests two prompts for EIdP so adding them to prompt_config structure. In addition, implement all the functions needed to manipulate the structure for these new prompts. Finally, add unit-tests for the new functions. Signed-off-by: Iker Pedrosa <[email protected]>
These new options are needed by the GDM integration, but they can be
reused for CLI prompting.
:config: New options to tune EIdP prompting: 'init_prompt' and
'link_prompt'.
Signed-off-by: Iker Pedrosa <[email protected]>
ikerexxe
force-pushed
the
gdm_eidp
branch
6 times, most recently
from
46c7c56 to
0ab4821
Compare
|
Hi @sumit-bose , This is ready for review again. CI failures are unrelated and COPR repo is updated with latest code, including prompt tuning. |
Return `prompt_config` structure in `pam_eval_prompting_config` to tune the prompts from the SSSD config in the GUI. Signed-off-by: Iker Pedrosa <[email protected]>
Implement a set of functions to check the available authentication mechanisms and their associated data, and generate a JSON message with it. This JSON formatted message will be consumed by apps that provide GUI login (i.e. GDM). Currently, the implementation only takes into account password and OAUTH2 mechanisms. Include unit tests to check the implemented functions. Signed-off-by: Iker Pedrosa <[email protected]>
Implement a set of functions to unpack the JSON reply from the GUI. Include unit tests to check the implemented functions. Signed-off-by: Iker Pedrosa <[email protected]>
Implement a function to check whether the PAM service file in use is enabled for the JSON procotol. This helps us filter which applications are compatible with this protocol. Signed-off-by: Iker Pedrosa <[email protected]>
This new option is used to enable the JSON protocol in the PAM responder
based on the PAM service file in use.
:config: Add pam_json_services option to enable JSON protocol to
communicate the available authentication mechanisms.
Signed-off-by: Iker Pedrosa <[email protected]>
Call JSON message generation function and fill the data structure containing the response_data linked list. Signed-off-by: Iker Pedrosa <[email protected]>
Forward the available authentication mechanisms and their associated data message to the GUI login using a PAM conversation. Then, obtain the reply and forward it to the responder, so that it can parse it. Signed-off-by: Iker Pedrosa <[email protected]> Signed-off-by: Ray Strode <[email protected]>
Parse GUI reply and set the appropriate data in `sss_auth_token` structure. Signed-off-by: Iker Pedrosa <[email protected]>
Include JSON message where applies. Signed-off-by: Iker Pedrosa <[email protected]>
|
Hi, thanks for the update, code looks good. I will run some tests, does the build in your copr repo contain the latest changes or would it be better if I build SSSD from this PR? bye, |
|
You can test it using the COPR repository, as it has been updated. |
|
Hi, thanks, test were working fine. I have no further comments. bye, |
|
@sumit-bose can you approve it? @justin-stephenson I made some changes after Sumit's review. Do you want to take another look? |
It's okay for me, Ack. |
|
Thanks for the reviews. I'm closing this PR and rebasing the development branch manually to add the |
This PR enables the authentication method selection and the EIdP login from the GNOME login screen.
The design page is available at SSSD/sssd.io#79
The COPR repo for testing is available at https://copr.fedorainfracloud.org/coprs/ipedrosa/passwordles-gdm. You should update sssd, gnome-desktop3, mutter, gdm and gnome-shell packages.
In order to test it's necessary to set
Constraints: if a user has enabled both password and EIdP authentication, they will only be able to authenticate using EIdP. There's a known problem with password authentication.