Ubuntu's OpenGL face browser with GNOME Desktop Manager
GDM (the GNOME Display Manager) provides an alternative display manager for the X Window System.
The X Window System by default uses the XDM display manager. However, resolving XDM configuration issues typically involves editing a configuration file. GDM allows users to customize or troubleshoot settings without having to resort to a command line. Users can pick their session type on a per-login basis. GDM also features easy customisation with themes.
It is used on many Linux distributions and is often the first interactive part of the desktop that users experience after the computer finishes booting. GDM is themable, and is often customized by distributors to include branding, but has changed little over the years.
GNOME eye-candy expert Mirco Müller, who is employed by Canonical, is currently working on refining the login experience to make it aesthetically richer and more interactive. He is designing an animated face browser for the next generation GNOME display manager, which will be used in a future version of Ubuntu. Although the functional details and visual design haven't been finalized yet, the basic experience is documented in a specification at the Ubuntu wiki.
According to the proposal, the new face browser will display user account images in a grid and will allow users to select their account either by clicking an image or typing their username. The face browser will automatically filter the visible images while the user is typing so that only accounts with usernames that match the inputted letters are displayed. After an account is selected, the user will be prompted for their password. Tools like GNOME's new Cheese webcam utility could also potentially be integrated with GDM configuration utilities so that users can take their own picture and use it as their account icon.
Queen of England
Some of the copyright notices of GDM refer to the "Queen of England", who is also named as a maintainer in release announcements since version 2.2.1. It was only later that the developers realised that there has been no "Queen of England" since the Acts of Union of 1707.
Easter Eggs
GDM has a few easter eggs, in the form of strings to be entered in the username box. These can be found in the source file "gui/guilogin.c", in a function named "evil".
* Dancing login - type "Start Dancing" to start, and "Stop Dancing" to stop. (This requires the standard greeter, rather than the graphical one).
* "Gimme Random Cursor" - can be used repeatedly.
* "Require Quarter" (or "Require Quater", for backward compatibility with a typo in the original), then log in normally - a dialog box appears after entering the password.
Müller intends to develop the new login interface with Clutter, an open source canvas and scene-graph library built on OpenGL. Clutter, which is being developed by OpenedHand, is one of several canvas solutions that is being evaluated for potential inclusion in the next generation of the GTK+ toolkit. Clutter is also being tested experimentally in GNOME's image viewer and in at least one program in GNOME's game collection.
Müller has used Clutter to create an intriguing interactive animation prototype that provides some insight into what the face browser might eventually look like. The video is available for download from his web site. Keep in mind that it's still just an early experiment for testing animation capabilities and the Clutter API. It's a very impressive start and does a nice job of showing how Clutter can be used to add some extra polish to a simple interface.
!-- INIZIO del codice HTML di zanox-affiliato -->
The GDM Daemon
GDM was written with simplicity and security in mind. The overall design concept is this:
Upon startup the gdm daemon parses its config file gdm.conf. For each of the local displays gdm forks an Xserver and a slave process. The main gdm process will then listen to XDMCP requests from remote displays and monitor the local display sessions.
The gdm slave process opens the display and starts gdmlogin, the graphical login program. gdmlogin runs as a dedicated user and communicates asynchronously with the slave process through a pipe.
GDM relies heavily on the presence of PAM, Pluggable Authentication Modules, but supports regular crypt() and shadow passwords on legacy systems.
Remote displays can connect to the XDMCP port on the GDM host. gdm will grant access to hosts specified in the gdm service section in your TCP Wrappers configuration file. GDM does not support remote display access control on systems without TCP Wrappers. XDMCP support can be turned off completely, however.
GDM includes several measures making it more resistant to denial of service attacks on the XDMCP service. A lot of the protocol parameters, handshaking timeouts etc. can be fine tuned. The defaults should work for most systems, however. Don't change them unless you know what you're doing.
In general GDM is very reluctant regarding reading/writing of user files. For instance it refuses to touch anything but regular files. Links, sockets and devices are ignored. The value of the RelaxPermissions parameter determines whether GDM should accept files writable by the user's group or others. These are ignored by default.
All operations on user files are done with the effective userid of the user. If the sanity check fails on the user's .Xauthority file, a fallback cookie is created in /tmp.
Finally, the sysadmin can specify the maximum file size GDM should accept, and, if the face browser is enabled, a tunable maximum icon size is also enforced. On large systems it is still advised to turn off the face browser for performance reasons. Looking up icons in homedirs, scaling and rendering face icons can take quite a long time. YMMV.
XDMCP
GDM also supports the X Display Manager Protocol (XDMCP) for managing remote displays.
GDM listens to UDP port 177 and will repond to QUERY and BROADCAST_QUERY requests by sending a WILLING packet to the originator.
GDM can also be configured to honor INDIRECT queries and present a host chooser to the remote display. GDM will remember the user's choice and forward subsequent requests to the chosen manager.
GDM only supports the MIT-MAGIC-COOKIE-1 authentication system. Little is gained from the other schemes, and no effort has been made to implement them so far.
Since it is fairly easy to do denial of service attacks on the XDMCP service, GDM incorporates a few features to guard against attacks. Please read the XDMCP reference section below for more information.
Even though GDM tries to outsmart potential attackers, it is still adviced that you block UDP port 177 on your firewall unless you really need it. GDM guards against DoS attacks, but the X protocol is still inherently insecure and should only be used in controlled environments.
Even though your display is protected by cookies the XEvents and thus the keystrokes typed when entering passwords will still go over the wire in clear text. It is trivial to capture these. You should also be aware that cookies, if placed on an NFS mounted directory, are prone to eavesdropping too.
The face browser
The greeter provides a face browser containing icons for all the users on a system. The icons can be installed globally by the sysadmin or in the users' home directories.
The face browser makes a few assumptions about your environment. First of all, the greeter runs under a dedicated userid, and therefore any face icons located in user directories must be readable to the gdm user. I.e. all home- and ~/.gnome directories must be made readable and executable to the ``other'' group on the system.
Similarly, face icons placed in the global face directory must be readable to the gdm user.
Please note that loading and scaling face icons located in user home directories can be a very time consuming task. Especially on large systems or systems running NIS. The browser feature is only intended for systems with relatively few users.
To filter out unwanted user names in the browser, an exclude option is implemented. The greeter will automatically ignore usernames listed in the Exclude statement in the config file.
|
|
|
|
|
|
|
digg it
del.icio.us
Hugo
