Re: [gdm-list] Password-less login, last take

[Ray Strode <halfline gmail com>]

Hi,

On Sat, Jun 27, 2009 at 3:07 PM, Milan Bouchet-Valat<nalimilan club fr> wrote:
> I'd like to wake up the old story of password-less logins, and hopefully
> fix it quickly, since all the required parts are here now. I've created
> a patch for the gnome-system-tools that will add the user to a specific
> group if the option "Don't check for password on login" is ticked.
So thinking about it, we already have:

1) Automatic login
2) Timed login
3) passwd -d

I'm not really a fan of adding yet another way to do this.  If none of
these are really sufficient, then I'd rather make one of them
sufficient (maybe make TimedLoginDelay=-1 mean "never start
timer"?)...

You mention passwd -d being a security hole in the bug report, but I
don't see what security ramifications it has over your proposed
solution.

If you do passwd -d then obviously ssh won't let you login with a
password anymore.  That *increases* security, since it forces you to
use public keys.

> Now we only need to GDM to ship with default PAM configuration file
> that use that feature so that distributors can easily enable it.
> Unfortunately, these files are customized most of the time, so they will
> have to adapt their versions before that works. (The 'nopasslogin' group
> will have to be created by downstream before the feature is enabled,
> anyway.) But modifying the default file is still useful, at least for
> reference.
Maybe it would make sense to provide a hint on how to accomplish this
in the gdm documentation instead of in the reference pam file?

I guess g-s-t could modify the pam file itself, too...

---Ray