RE: The lost screenwaiter [Was: The lost screensaver]

From: Milan Bouchet-Valat <nalimilan club fr>
To: Gabriel Rossetti <gabriel rossetti trafigura com>
Cc: "gnome-shell-list gnome org" <gnome-shell-list gnome org>
Subject: RE: The lost screenwaiter [Was: The lost screensaver]
Date: Fri, 24 Feb 2012 10:10:05 +0100

Le jeudi 23 février 2012 à 16:51 +0000, Gabriel Rossetti a écrit :
> Sorry, using a terrible email client, can't reply inline well.
> 
> I don't agree, he wants to be able to login graphically without having
> to use a password, not by commandline. I think both aren't great, but
> at least the 1st one forces an attacker to have physical access to the
> machine whereas the 2nd would allow remote login.
>
> I agree you can do that (disable the remote logins) , but it sounds
> like he may not know how to do that (since he doesn't know how to
> configure passwordless login) and even if he does he may one day
> enable it for whatever reason and forget that he deleted the user's
> password and thus opening his computer to the world (or just about).
With a properly configured system, which most distros do by default, you
won't be allowed to login without password with SSH. One really needs to
hack the config files by hand to allow this madness. So that's not the
problem.

> You can change that setting via a GUI by the way, on Gnome Shell you
> do it this way:
> 
>  1) Open system settings
>  2) Click on "User Accounts"
>  3) Click on "Unlock", enter your password
>  4) Toggle the "Automatic Login" switch
> 
> This way he get what he wants and at least doesn't allow
> current/future passwordless remote logins.
This solution only works when starting the computer, it doesn't help for
user switching.


If your distribution is shipping the default PAM configuration file for
GDM[1] (Ubuntu at least does, but e.g. Fedora doesn't), then adding your
user to the 'nopasswdlogin' group is enough to login/switch users
without typing the password. You still have a password e.g. to login via
SSH. A single line in /etc/pam.d/gdm is enough to enable this:
auth       sufficient  pam_succeed_if.so user ingroup nopasswdlogin

It's a available as a GUI option in users-admin, but sadly it's not been
added to the new users panel.


1: http://git.gnome.org/browse/gdm/tree/data/gdm

Follow-Ups:
- RE: The lost screenwaiter [Was: The lost screensaver]
  - From: Gabriel Rossetti

References:
- The lost screenwaiter [Was: The lost screensaver]
  - From: shuihuzhuan
- Re: The lost screenwaiter [Was: The lost screensaver]
  - From: Ray Strode
- RE: The lost screenwaiter [Was: The lost screensaver]
  - From: Gabriel Rossetti
- RE: The lost screenwaiter [Was: The lost screensaver]
  - From: Adam Tauno Williams
- RE: The lost screenwaiter [Was: The lost screensaver]
  - From: Gabriel Rossetti

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]