an unexpected turn of events
December 21, 2007
So, I am totally surprised to see that Matthew Szulik is stepping down as Red Hat’s CEO. I wonder what comes next…
Login Records
June 29, 2007
So one of the the features I needed to implement for RHEL 5 was btmp logging for GDM. The btmp log is a record of failed log attempts that an admin can access by running the /usr/bin/lastb command. It’s similiar to the wtmp log which is a record of login and logouts by users, and also like the utmp log which is a record of users currently logged in.
GDM already had indirect support for those last two types of login records because when starting a session it would invoke the sessreg utility that ships with X. This utility would create an entry in the wtmp and utmp logs. This utility couldn’t create an entry in the btmp log, however, because it only gets invoked after a session is started, and the btmp log records failed login attempts–attempt that don’t lead to a session getting started.
The format of the 3 logs are nearly identical, so it made sense to do all the logging with in GDM. For RHEL 5, I pushed a patch that did wtmp and btmp logging, but neglected to do utmp logging. The reason for this was a bit of text in the utmp man page
xdm(8) should not create a utmp record, because there is no assigned terminal. Letting it create one will result in errors, such as ’finger: cannot stat /dev/machine.dom’. It should create wtmp entries, though, just like ftpd(8) does.
This turned out to be a mistake. People like to be able to see who is currently logged in by using the w command, which relies on utmp being up to date. I’ll be correcting that in a future RHEL 5 update.
Anyway, I submitted my patch upstream and Brian Cameron picked up the work and made it work in Solaris. This broke it in Linux, so he passed it back to me to fix for Linux.
There is still one issue left. utmp entries have a specific field per record called the ut_line field. For text logins you would put the name of the terminal device that is controlling the session. So if the user is logged in on vt 1, then the associated terminal device is /dev/tty1 and the ut_line field would be tty1.
For X logins, there is no controlling terminal, so there is some debate what should go in the ut_line field. Note, the warning I quoted above. Some utilities expect there to be a file in /dev with whatever value is given to ut_line. According to Brian, Solaris has traditionally dealt with this problem by creating fake files in /dev for each X login, just so programs like finger and w don’t freak out. These fake files are called “pseudo devices” and they’re sort of akin to pseudo-terminals, except they aren’t terminal devices.
Anyway, it’s not clear what we should do for ut_line. The whole idea of creating fake files just to satisfy some old unix utilities is sort of offensive, and it has SELinux implications as well. For RHEL 4, ut_line was not set to a valid file. It was simply the display number (:0 or whatever), so I’m thinking that’s probably the right way to go.
Smart Card Login
June 9, 2007
So for RHEL 5, our moutainview team needed smart card login to work out of the box for DoD cac cards. I got asked to assist on the project, so I did the leg work to get gdm and gnome-screensaver responding to smart cards getting put in and pulled out. I also did a bit of work on the pam_pkcs11 pam module (Although that was mostly written by Bob Relyea of NSS fame).
Anyway, the bulk of the code was just cut-n-paste between gdm and gnome-screensaver. The longterm plan was to create a separate dbus service to do the actual talking to the card and have gdm and gnome-screensaver talk to the service . This is good because it reduces memory footprint, speeds up response time (which can be pretty slow with cac cards!), and means the card only has to get unlocked once instead of n times (which is an important feature if smartcard login is to ever become true single sign on). Anyway, RHEL5 came and we haven’t had time to implement the service.
Well, I got an email from boc the other day (well it was a few weeks ago), that he took my code and put it into a dbus service as part of work he’s doing for Novell! Awesome.