Previously I was just presenting a static username/password box, and
then running PAM with pre-set credentials. This works just fine when
PAM is expecting a username and password, but if it's expecting
something like a fingerprint scan or a hardware security token, this
wouldn't entirely work right. Well, it would "work", but the
username/password dialog would be displayed, and then hitting "Unlock"
would start a different auth process with no visible feedback as to
what's supposed to happen.
This also means I need to switch PAM wrapper crates; the one I was using
before did not allow passing a fixed username to the underlying
pam_start() call, which meant that PAM would try to prompt the user for
it, which is not what we want.
This also stops using -1 as auth failed, and moves all failure statuses
to positive numbers. It looks like Exiting with -1 ends up setting the
status to 255 on exit, but then in the locker, it sees this as 255 and
not -1, since things get coerced into 32-bit integers.
We never quit the main loop, but if something odd happens that causes it
to quit outside our control, ensure that we don't return the "auth
success" status code.
Changes the auth failed label into an auth status label, and prints a
dot once every half second while authenticating.
Also reduces the post-auth-failed pause to 1 second; 2 seconds is longer
than it seems.
By default it'll look at your environment to try to figure out which
display manager is used in order to start a new session. We first try
the org.freedesktop.DisplayManager dbus interface, and if that fails,
inspect XDG_SESSION_DESKTOP to try to figure out which display manager
is running.
The user can also still specify the correct display manager, or a custom
command.
This includes an abortive attempt to do a gtk4 dialog (which I don't
think is possible, as gtk4 doesn't allow embedding toplevels anymore),
and an iced dialog, which I just never started writing.
