Re: [gdm-list] Password-less login, last take
- From: Ray Strode <halfline gmail com>
- To: Milan Bouchet-Valat <nalimilan club fr>
- Cc: gdm-list <gdm-list gnome org>
- Subject: Re: [gdm-list] Password-less login, last take
- Date: Sat, 27 Jun 2009 18:12:57 -0400
Hi,
On Sat, Jun 27, 2009 at 3:07 PM, Milan Bouchet-Valat<nalimilan club fr> wrote:
> I'd like to wake up the old story of password-less logins, and hopefully
> fix it quickly, since all the required parts are here now. I've created
> a patch for the gnome-system-tools that will add the user to a specific
> group if the option "Don't check for password on login" is ticked.
So thinking about it, we already have:
1) Automatic login
2) Timed login
3) passwd -d
I'm not really a fan of adding yet another way to do this. If none of
these are really sufficient, then I'd rather make one of them
sufficient (maybe make TimedLoginDelay=-1 mean "never start
timer"?)...
You mention passwd -d being a security hole in the bug report, but I
don't see what security ramifications it has over your proposed
solution.
If you do passwd -d then obviously ssh won't let you login with a
password anymore. That *increases* security, since it forces you to
use public keys.
> Now we only need to GDM to ship with default PAM configuration file
> that use that feature so that distributors can easily enable it.
> Unfortunately, these files are customized most of the time, so they will
> have to adapt their versions before that works. (The 'nopasslogin' group
> will have to be created by downstream before the feature is enabled,
> anyway.) But modifying the default file is still useful, at least for
> reference.
Maybe it would make sense to provide a hint on how to accomplish this
in the gdm documentation instead of in the reference pam file?
I guess g-s-t could modify the pam file itself, too...
---Ray
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]