Re: [gdm-list] Autentication fake.


> David might be able to use pam_exec to run useradd (and passwd -d) to

Right. Well, I got interested and tested this.. and it works like a charm.
It is surprisingly robust, too.

In case other GDM users find it helpful, I'll describe the details here.
This is tested on Ubuntu 10.04 (and XFCE); other distributions may differ.

First, write a shell script which creates the user account
with an empty password. Save this as /etc/pam-create-user.bash :

	# Group to put the user into.

	# Ignore all phases except session.
	[ "${PAM_TYPE}" == "auth" ] || exit 0

	# Make sure username begins with a letter, and contains only safe characters.
	User="${PAM_USER//[^-_  0-9A-Za-z]/}"
	[ "$User" == "$PAM_USER" ] || exit 0
	[ "${User#[A-Za-z]}" != "$User" ] || exit 0

	# Check if the user already exists.
	id -u "$User" </dev/null &>/dev/null && exit 0

	# Make sure we are running as root.
	[ "`id -u`:`id -g`" == "0:0" ] || exit 0

	# Create user with empty password.
	/usr/sbin/useradd -m -N -p '' -g "$Group" -G nopasswdlogin "$User" || exit $?

	# Remove the passwordless login after 10 seconds.
	( setsid /bin/bash -c "sleep 10 ; /usr/sbin/usermod -G '' '$User'" </dev/null &>/dev/null & )

	# Done.
	exit 0

The above script adds the users to group 'dynuser'.
Create this group by running `sudo groupadd dynuser`.

To add the script to GDM PAM config, add line
	auth required /etc/pam-create-user.bash
into /etc/pam.d/gdm, just before the line,
after the two lines.

At this point, new users are created automatically and logged in
without a password, using the default session settings.
(In Ubuntu, passwordless logins are allowed for all users who
 belong to the nopasswdlogin group.)

The script launches a sleeper process, which removes the extra
groups automatically after ten seconds; thus, only the first
login will be passwordless. (Remove the setsid line in the script
to allow future passwordless logins.)

To force the users to set a password first thing,
create /etc/skel/.config/autostart/password.desktop:
	[Desktop Entry]

and the script which it refers to, /etc/startup-password.bash:
	while [ "`passwd -S | cut -d ' ' -f 2`" == "NP" ]; do
		if [ -x /usr/bin/userpasswd ]; then
			/usr/bin/userpasswd || exit $?
		elif [ -x /usr/bin/xterm ]; then
			/usr/bin/xterm /usr/bin/passwd
			exit 1
	rm -f "$HOME/.config/autostart/password.desktop"

Remember to allow anybody to run the above script,
by running `sudo chmod 0755 /etc/startup-password.bash`.

The script retries until the user successfully sets a password
(or there is some other problem). If successful, the script
removes the autostart .desktop entry.

By default, the script uses xterm to display the password
change dialog; pretty ugly. If you install the 'usermode' package,
the script will use userpasswd, which is a nice GUI for changing
the password.

Apologies for spamming the list,

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]