Re: [gdm-list] Autentication fake.

From: Jouko Orava <jouko orava helsinki fi>
To: Ray Strode <halfline gmail com>
Cc: gdm-list gnome org
Subject: Re: [gdm-list] Autentication fake.
Date: Fri, 1 Oct 2010 21:30:21 +0300 (EEST)

Hello,

> David might be able to use pam_exec to run useradd (and passwd -d) to

Right. Well, I got interested and tested this.. and it works like a charm.
It is surprisingly robust, too.

In case other GDM users find it helpful, I'll describe the details here.
This is tested on Ubuntu 10.04 (and XFCE); other distributions may differ.

First, write a shell script which creates the user account
with an empty password. Save this as /etc/pam-create-user.bash :
	#!/bin/bash

	# Group to put the user into.
	Group="dynuser"

	# Ignore all phases except session.
	[ "${PAM_TYPE}" == "auth" ] || exit 0

	# Make sure username begins with a letter, and contains only safe characters.
	User="${PAM_USER//[^-_  0-9A-Za-z]/}"
	[ "$User" == "$PAM_USER" ] || exit 0
	[ "${User#[A-Za-z]}" != "$User" ] || exit 0

	# Check if the user already exists.
	id -u "$User" </dev/null &>/dev/null && exit 0

	# Make sure we are running as root.
	[ "`id -u`:`id -g`" == "0:0" ] || exit 0

	# Create user with empty password.
	/usr/sbin/useradd -m -N -p '' -g "$Group" -G nopasswdlogin "$User" || exit $?

	# Remove the passwordless login after 10 seconds.
	( setsid /bin/bash -c "sleep 10 ; /usr/sbin/usermod -G '' '$User'" </dev/null &>/dev/null & )

	# Done.
	exit 0

The above script adds the users to group 'dynuser'.
Create this group by running `sudo groupadd dynuser`.

To add the script to GDM PAM config, add line
	auth required pam_exec.so /etc/pam-create-user.bash
into /etc/pam.d/gdm, just before the pam_succeed_if.so line,
after the two pam_env.so lines.

At this point, new users are created automatically and logged in
without a password, using the default session settings.
(In Ubuntu, passwordless logins are allowed for all users who
 belong to the nopasswdlogin group.)

The script launches a sleeper process, which removes the extra
groups automatically after ten seconds; thus, only the first
login will be passwordless. (Remove the setsid line in the script
to allow future passwordless logins.)

To force the users to set a password first thing,
create /etc/skel/.config/autostart/password.desktop:
	[Desktop Entry]
	Encoding=UTF-8
	Version=0.9.4
	Type=Application
	Name=Startup-userpasswd
	Comment=
	Exec=/etc/startup-password.bash
	StartupNotify=false
	Terminal=false
	Hidden=false

and the script which it refers to, /etc/startup-password.bash:
	#!/bin/bash
	while [ "`passwd -S | cut -d ' ' -f 2`" == "NP" ]; do
		if [ -x /usr/bin/userpasswd ]; then
			/usr/bin/userpasswd || exit $?
		elif [ -x /usr/bin/xterm ]; then
			/usr/bin/xterm /usr/bin/passwd
		else
			exit 1
		fi
	done
	rm -f "$HOME/.config/autostart/password.desktop"

Remember to allow anybody to run the above script,
by running `sudo chmod 0755 /etc/startup-password.bash`.

The script retries until the user successfully sets a password
(or there is some other problem). If successful, the script
removes the autostart .desktop entry.

By default, the script uses xterm to display the password
change dialog; pretty ugly. If you install the 'usermode' package,
the script will use userpasswd, which is a nice GUI for changing
the password.

Apologies for spamming the list,
	Jouko

References:
- [gdm-list] Autentication fake.
  - From: David Wei
- Re: [gdm-list] Autentication fake.
  - From: Jouko Orava
- Re: [gdm-list] Autentication fake.
  - From: Ray Strode

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]