Re: [system-tools] Allowing password-less connexions

[Wolf Halton <saphil yahoo com>]

I am a new reader, so I apologize for any really obvious idiocy upon my part.  Is this feature supposed to make it possible to log in as a regular user and do password-free sudo commands? or is it intended to make a basic user a defacto root-user (which would do away with the sudoers log entry for whatever the user might do).  I can see some point to the former but wouldn't they both be security holes waiting for exploit?  Personally, I see the effortless admin access of Windows to be one of the major flaws of the windows model.  Yes, I can see that this is a voluntary change and everybody should be allowed to endanger their home pc as much as they like, but why would one wish to encourage linux-based bot-nets?

Wolf Halton
Computer Security and Penetration Testing (2007)

Milan Bouchet-Valat  wrote:

Date: Sun, 04 May 2008 18:19:48 +0200
From: Milan Bouchet-Valat
Subject: [system-tools] Allowing password-less connexions
To: system-tools-list gnome org
Cc: gdm-list
Message-ID: <1209917988 6148 23 camel milan>
Content-Type: text/plain; charset=UTF-8

Hi! I was discussing on GDM's list of implementing a graphical way to
allow users to login through GDM and gnome-screensaver without entering
their password. ?I'd like to code it and it may well be that users-admin
is the place it should go into. This is a much wanted feature that is
preserving security for remote login and administrative tasks.

It is easy to set up using PAM: you need to modify /etc/pam.d/gdm.conf
so that it contains this:
"auth sufficient pam_listfile.so sense=allow file=/etc/gdm/nopassword
item=user"

What we only need is a GUI to select which users will be listed in this
file. First I thought gdm-setup would be the place to do that, but now I
believe it would be nice to put it in users-admin. See my post to the
GDM list. I'd liek to get your comments about this.


Cheers


-------- Transferred message --------
De: Milan Bouchet-Valat
?: Maarten de Boer
Cc: gdm-list gnome org
Sujet: Re: [gdm-list] Allowing password-less connexions
Date: Sun, 04 May 2008 18:07:32 +0200

I've just read the answer Martin got last time he raised this issue.
Obviously distro-specific PAM will be a problem - but what would be nice
is that a distribution wanting to enable this feature can do this
easily. For this we would need mostly a GUI, since PAM files are anyway
written by the distros.

After thinking a little more, I though that maybe it would be more
logical and easier to add a checkbox in the users profiles in
users-admin (from gnome-system-tools) allowing to skip password check in
GDM/gnome-screensaver. This option would just write the username to a
file (/etc/gdm-nopasswd.list, /etc/nopasswd.list or so...).
Distributions would have to choose between updating pam.d conf files
accordingly so that this is working, or disabling/hiding this feature
(via a GConf key for example).

Adding this in GDM would require more work and an extended interface,
and moreover the per-user approach may be more friendly than configuring
the login screen (system-wide).

Any comments/criticisms? I'm contacting the g-s-t team to hear what they
think of it, and I CC the gdm-list.



------------------------------

_______________________________________________
system-tools-list mailing list
system-tools-list gnome org
http://mail.gnome.org/mailman/listinfo/system-tools-list


End of system-tools-list Digest, Vol 38, Issue 1
************************************************

--

Click on WolfHalton.info and Speak Your Mind!

Of all things, good sense is the most fairly distributed: everyone thinks he is so well supplied with it that even those who are the hardest to satisfy in every other respect never desire more of it than they already have. -- René Descartes - Discours de la Méthode

---

Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.