Following the unfortunate timing of my initial sddm proposal [Proposal] Modernize Authentication with Asynchronous D-Bus/PAM Support · Issue #2098 · sddm/sddm · GitHub
Hi,
I’ve been looking at the plasma-login-manager code and while Dbus was adopted for system communication, I wanted to ask about the authentication architecture.
Looking at the current authentication code (Greeter.cpp, DisplayManager.cpp), I see that authentication still uses synchronous socket communication from the old SDDM code.
So I wanted to ask the following question:
Is the socket-based communication between greeter and daemon planned to remain as the long-term architecture for authentication?
I ask because modern PAM modules (FIDO2/U2F, smart cards, biometric authentication) require conversational, multi-step authentication flows that are fundamentally incompatible with synchronous architectures.
This makes supporting these authentication methods hard and causes problems for users:
Given that plasma-login-manager already has robust D-Bus infrastructure in place, there may be an opportunity to extend this architecture to handle interactive authentication. This could involve:
- Extending the existing D-Bus interfaces to handle conversational authentication flows
- Implementing proper async PAM conversation handling in the daemon
- Allowing the greeter to receive and display dynamic prompts from authentication modules
I’d be very interested in the team’s thoughts on this direction and whether there are existing plans to address interactive authentication architecture. I’d be happy to contribute to such an effort if it aligns with the project’s roadmap.
Thank you for the excellent work on modernizing the login manager architecture!
Best regards,