RE: The lost screenwaiter [Was: The lost screensaver]

[Gabriel Rossetti <gabriel rossetti trafigura com>]

Ok, thanks for the info. I would like to also point out that Ubuntu no longer uses GDM but LightDM instead. Not sure what changes in what you said, does anyone else know?

Thanks,
Gabriel

-----Original Message-----
From: Milan Bouchet-Valat [mailto:nalimilan club fr]
Sent: 24 February 2012 10:10
To: Gabriel Rossetti
Cc: awilliam whitemice org; gnome-shell-list gnome org
Subject: RE: The lost screenwaiter [Was: The lost screensaver]

Le jeudi 23 février 2012 à 16:51 +0000, Gabriel Rossetti a écrit :
> Sorry, using a terrible email client, can't reply inline well.
>
> I don't agree, he wants to be able to login graphically without having
> to use a password, not by commandline. I think both aren't great, but
> at least the 1st one forces an attacker to have physical access to the
> machine whereas the 2nd would allow remote login.
>
> I agree you can do that (disable the remote logins) , but it sounds
> like he may not know how to do that (since he doesn't know how to
> configure passwordless login) and even if he does he may one day
> enable it for whatever reason and forget that he deleted the user's
> password and thus opening his computer to the world (or just about).
With a properly configured system, which most distros do by default, you
won't be allowed to login without password with SSH. One really needs to
hack the config files by hand to allow this madness. So that's not the
problem.

> You can change that setting via a GUI by the way, on Gnome Shell you
> do it this way:
>
>  1) Open system settings
>  2) Click on "User Accounts"
>  3) Click on "Unlock", enter your password
>  4) Toggle the "Automatic Login" switch
>
> This way he get what he wants and at least doesn't allow
> current/future passwordless remote logins.
This solution only works when starting the computer, it doesn't help for
user switching.


If your distribution is shipping the default PAM configuration file for
GDM[1] (Ubuntu at least does, but e.g. Fedora doesn't), then adding your
user to the 'nopasswdlogin' group is enough to login/switch users
without typing the password. You still have a password e.g. to login via
SSH. A single line in /etc/pam.d/gdm is enough to enable this:
auth       sufficient  pam_succeed_if.so user ingroup nopasswdlogin

It's a available as a GUI option in users-admin, but sadly it's not been
added to the new users panel.


1: http://git.gnome.org/browse/gdm/tree/data/gdm

________________________________

This email and any attachments are confidential and access to this email or attachment by anyone other than the addressee is unauthorised. If you are not the intended recipient please notify the sender and delete the email including any attachments. You must not disclose or distribute any of the contents to any other person. Personal views or opinions are solely those of the author and not of Trafigura. Trafigura does not guarantee that the integrity of this communication has been maintained nor that the communication is free of viruses, interceptions or interference. By communicating with anyone at Trafigura by email, you consent to the monitoring or interception of such email by Trafigura in accordance with its internal policies. Unless otherwise stated, any pricing information given in this message is indicative only, is subject to change and does not constitute an offer to deal at any price quoted.