Re: Passwordless login

[George <jirka 5z com>]

On Mon, Apr 19, 2004 at 05:49:08PM +0200, Søren Hansen wrote:
> On søn, 2004-04-18 at 23:54 -0700, George wrote:
> > > Any brilliant ideas? I'm thinking that the existence of a semaphore file
> > > in $HOME/.gnome2/ will make gdm use gdm-autologin, but we don't know the
> > > username and hence the $HOME until after we've created the pam_handle,
> > > do we?
> > The thing is that PAM now asks for the username and we don't really know it
> > until PAM does it's thing.  Any solution would really have to be in PAM
> > itself (And that's where such policy should go anyway).  It would be useful
> > to create a pam module that would allow passwordless login for select local
> > users.  It also shouldn't be too hard I don't think.
> 
> Right, I figured that out a bit later, too. I've created a file
> called /etc/gdmnopassusers and added a line to my /etc/pam.d/gdm:
> auth    sufficient      pam_listfile.so file=/etc/gdmnopassusers
> sense=allow item=user
> 
> And presto! However, this way, I still can't tell if it's a local login
> or a remote one, so a if one could use /etc/pam.d/gdm-xdmcp for remote
> logins, it'd be really nice. Could that be implemented in the next
> release?

That's actually a good idea.  Actually I'd probably be more inclined to
gdm-console pam module which would only be invoked for console logins,
that way if some new remote mode is added later, we don't open up a hole.
Probably gdm should try 'gdm-console' first and if it doesn't exist fallback 
to 'gdm', or some such.

On the other hand, perhaps there's a way to check for the display setting in
pam_listfile (I'm not familiar with it)

George

-- 
George <jirka 5z com>
   - I'm getting better!
   - No, you're not. You'll be stone dead in a moment.
                       -- Monty Python