Edit:
As stated by @grawity, compliant application can handle such authentication scheme gracefully. Graphical issues are avoided by asking the two passwords in two successive steps (not the three fields "login / pass1 / pass2" as I encountered in a specific application using RSA SecureID, but the usual login/password screen followed by a second password screen after the first input)
As far PAM is concerned all is about:
- Installing or creating the appropriate PAM module which will handle the second password (with a little chance the RFID provider may already provide one, or if it standard enough on may already exist somewhere else),
- Configuring PAM to accept multi-factor authentication, usually by adding a second "auth required new_module_name_here.so", but this depends largely on the Linux distribution being used. Some research about "pam multi-factor " may prove usefull. PAM configuration allows a lot of subtleties, like the order of passwords to be requested, if the second one should be requested only when the first one is valid or always, etc.
- Configure your application appropriately if needed, but depending on your needs and the existing you may be lucky and it would work out of the box.
Original post:
Instead of wanting to update the UI from the shell login, lightdm login and screensaver login (ie. create a fork of all these you will have to maintain over time), maybe the better choice would be to merge you two password in one (for instance define as your own policy that you will have to type each passwords separated by a dash: "password1-password2"), and then create your own specific PAM module to authenticate this.
By this mean you will remain compatible with all currently existing application.
1Properly written UI doesn't require modification – multiple prompts are already a regular part of PAM. – user1686 – 2015-03-31T10:45:13.920
@grawity Thanks for the information, I thought that the password input was handled by the graphical UI, then the credential transmitted to PAM to be authenticated. I look further for your more complete answer on how to configure PAM as requested in the original question so all complying graphical interfaces add "automagically" a second password field to their screen :) ! – WhiteWinterWolf – 2015-03-31T12:45:34.723
1Well, yes, it is handled by the graphical UI, but usually in response to PAM prompts. So when PAM accepts one input but shows a second prompt, it should work automatically; I think I've seen that happen in gdm and lightdm. – user1686 – 2015-03-31T14:59:47.050
Thanks your helpful comments, I've edited my post accordingly :) – WhiteWinterWolf – 2015-03-31T16:56:45.330