Re: [gdm-list] Separate username and password fields

From: Ray Strode <halfline gmail com>
To: Bob Doolittle <Bob Doolittle oracle com>
Cc: gdm-list gnome org
Subject: Re: [gdm-list] Separate username and password fields
Date: Mon, 26 Jul 2010 14:32:01 -0400

Hi,

> Could the username be validated as a legitimate account before logging it?
> This would prevent inadvertent logging of non-username, potentially private
> information. Logging should still occur (so that attacks can be flagged),
> but the "username" could be anonymized if it's not a legit account.
Not really.  PAM converts the users inputted username into a
"canonical" username as part of its authentication process.

So for instance a pam module could potentially support

\\WINDOWSDOMAIN\Bob.Doolittle

and at the end of the PAM conversation that username could get changed to

bdoolittle

or whatever.  You could also imagine a scenario where a pam module and
nsswitch module were in cahoots, and typing

"guest"

as a username would transparently create a "guest334" username and log
the user in with that username.

--Ray

References:
- [gdm-list] Separate username and password fields
  - From: mike _
- Re: [gdm-list] Separate username and password fields
  - From: Brian Cameron
- Re: [gdm-list] Separate username and password fields
  - From: Bob Doolittle

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]