So I've got my replacement for the login screen working in a test
harness, so I bit the bullet and tried as the replacement for
system.login.console. From my logging, it appears that the there's a
few things going on that are supposed to. For example I'm logging that
a smartcard has been removed, and inserted, however the GUI part isn't
showing up.
So I must be missing something in my replacement for
system.login.console: Here's mine:
Also, if someone has the 'Require password to wake this computer from
sleep...' set in system preferences/security I'm going to have to
replace the 'authenticate-session-owner-or-admin' key with one that
calls me, correct?
That leads to a question like: "What happens if I want to be the
authentication 'service' for everything from the finder authenticating
when someone drags a file into a system folder, to fast user switching,
etc"
Thanks in advance
John
On 7-Dec-04, at 12:44 PM, Conrad Sauerwald wrote:
On Dec 7, 2004, at 06:32, John Cebasek wrote:
Hi Conrad:
(We met at the security kitchen. You moved some code around on my
Powerbook)
I'm in a position to start to test our replacement for the logon
screen, and I am trying to find out what changes have to be made to
the ref file.
I don't think I want a new right (as in your test application). I
believe (and correct me if I'm wrong) that I just want to replace the
existing mechanism in system.console.logon.
system.login.console is used for login.
But then, what do I replace it with?
If you look in the file you see the current definition is:
<key>system.login.console</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>comment</key>
<string>Login mechanism based rule. Not for
general use
, yet.
builtin:krb5authenticate can be used to hinge local authentication on
a successf
ul kerberos authentication and kdc verification.
builtin:krb5authnoverify skips the kdc verification. Both fall back
on local au
thentication.</string>
<key>mechanisms</key>
<array>
<string>loginwindow_builtin:login</string>
<string>authinternal</string>
<string>HomeDirMechanism:login,privileged</strin
g>
<string>MCXMechanism:login</string>
<string>loginwindow_builtin:success</string>
<string>builtin:getuserinfo,privileged</string>
<string>builtin:sso,privileged</string>
<string>loginwindow_builtin:done</string>
</array>
</dict>
loginwindow_builtin:login and loginwindow_builtin:success and
loginwindow_builtin:done represent the standard login panel.
Using the API in AuthorizationDB.h you can use AuthorizationRightGet()
to get this definition as a dictionary. Convert it to a mutable one
and find the mechanisms section. Recreate an array that contains the
keys of the original mechanisms array and remove/replace the values
that start with loginwindow with a string representing your plugin and
mechanism. Use AuthorizationDBSet() to set this new definition.
For testing you may want to use a different name than
system.login.console until you've got it right and you can authorize
that right from a user session.
Conrad.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
