Re: [gdm-list] Password-less login, last take

[Ray Strode <halfline gmail com>]

Hi,

> Automatic and timed login are GDM convenience features that are really
> useful when you are the only person to use the computer, or the one that
> uses it the most (laptops are in this case). But the case I want to
> handle is about a computer used by several people, just like a home
> desktop computer is. You can't log a user directly there, and yet users
> don't want to type in their passwords because the physical environment
> is secure.
>
> Then you might think of the 'passwd -d' way of solving this. First,
> there is no convenient (read: graphical) way of doing this currently, so
> that's not really used at all. And that's not secure nor practical
> because:
> - any guy reaching your computer can actually perform any admin task
> just like installing software or messing with your system (which friends
> at home often do in your back ;-) )
Not sure I follow.  Wouldn't installing software and other admin tasks
require the root password?

> - any guy reaching your computer can also change your password so that
> you're locked out of your account
Well any guy with access to your machine can change your password,
true.  But that's true regardless.  Anyone with physical access can do
anything they want.  Of course when you get access to your machine you
can change it back...  Clearly passwordless login (via your way or
passwd -d) should only be set up in environments where you trust the
people who have access to your machine.

> - you cannot use ssh since you have no password
Sure you can.  You have to use a key instead of a password, but you
should b e doing that *anyway*.

> My proposal (on which we kind of agreed with both GDM and g-s-t
> maintainers back when I suggested it) solves these problems, and is more
> practical and more secure at the same time.
I still don't see the practical problem with passwd -d.

> Maybe we can integrate this feature with autologin so that the autologin
> account is also allowed password-less login - that would be more
> consistent.
Not sure what you mean, autologin already allows password-less login?

>> Maybe it would make sense to provide a hint on how to accomplish this
>> in the gdm documentation instead of in the reference pam file?
> These are the parts I'd like to discuss. The documentation should
> mention it for clarity's sake. I don't see why the default PAM file
> should not use it, maybe in a commented line if you think that's a
> security issue. Anyway, distributors seems to ship their own files, so
> that's mostly about giving them hints.
Given that most distributions use their own files here anyway, it might make
sense to drop the files completely, or move them to the documentation as well...

>> I guess g-s-t could modify the pam file itself, too...
> They could, but my approach is that the feature is disabled unless the
> distribution creates the group 'nopasswdlogin', so that we don't mess
> with distribution's security policies. And modifying a PAM configuration
> file from a script looks quite complex and risky, at least from my
> unexperienced POV. Since distributions ship their own PAM files for GDM,
> I think we can tell them to enable this feature by adapting these files
> and creating the required group in a script, both in the GDM package.
>
> Can we agree on this kind of solution?
I don't really like this solution.  I don't like using groups like
this.  The modern approach to user policy seems to be to assign
capabilities with PolicyKit.

Anyway, we're just talking about a hint for distributions to follow...
 I don't care that much either way, but I don't know how Brian and Jon
feel.

--Ray