Re: Some questions on userdbd and providing a compatible service

[Lennart Poettering <lennart@xxxxxxxxxxxxxx>]

On Do, 24.11.22 13:36, Dominik George (nik@xxxxxxxxxxxxx) wrote:

> Hi,
>
> > (BTW; I kinda hope that one day systemd-homed could directly
> > authenticate home directories via OIDC too. In fact, I want it so that
> > you can just type in any OpenID identity on a login prompt, and this
> > would authenticate a user and create a local homedir on the fly if
> > needed.)
>
> that's basically what I am building.

how do you intend to support getty logins, i.e. non-graphical
text-based only logins, where you cannot just open a webbrowser? oidc
device flow?

(I mean, from an environment like gdm it might actually make a ton of
sense to just open a webbrowser dialog, but for the getty crap? or sudo?)

> I guess my approach will be coming up with a custom Varlink interface
> for PAM authentication and experiment with it.

That's tough. PAM has a lot on implicit and explicit state attached to
the PAM handle... And you can have PAM conversations and so on
(i.e. prompting arbitrary questions) which makes PAM compat really
really messy...

Lennart

--
Lennart Poettering, Berlin