I am a new reader, so I apologize for any really obvious idiocy upon my part.
Is this feature supposed to make it possible to log in as a regular user and do
password-free sudo commands? or is it intended to make a basic user a defacto
root-user (which would do away with the sudoers log entry for whatever the user
might do). I can see some point to the former but wouldn't they both be
security holes waiting for exploit? Personally, I see the effortless admin
access of Windows to be one of the major flaws of the windows model. Yes, I
can see that this is a voluntary change and everybody should be allowed to
endanger their home pc as much as they like, but why would one wish to
encourage linux-based bot-nets?
Wolf Halton
Computer Security and Penetration Testing (2007)
Milan Bouchet-Valat wrote:
Date: Sun, 04 May 2008 18:19:48 +0200
From: Milan Bouchet-Valat
Subject: [system-tools] Allowing password-less connexions
To: [email protected]
Cc: gdm-list
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
Hi! I was discussing on GDM's list of implementing a graphical way to
allow users to login through GDM and gnome-screensaver without entering
their password. ?I'd like to code it and it may well be that users-admin
is the place it should go into. This is a much wanted feature that is
preserving security for remote login and administrative tasks.
It is easy to set up using PAM: you need to modify /etc/pam.d/gdm.conf
so that it contains this:
"auth sufficient pam_listfile.so sense=allow file=/etc/gdm/nopassword
item=user"
What we only need is a GUI to select which users will be listed in this
file. First I thought gdm-setup would be the place to do that, but now I
believe it would be nice to put it in users-admin. See my post to the
GDM list. I'd liek to get your comments about this.
Cheers
-------- Transferred message --------
De: Milan Bouchet-Valat
?: Maarten de Boer
Cc: [EMAIL PROTECTED]
Sujet: Re: [gdm-list] Allowing password-less connexions
Date: Sun, 04 May 2008 18:07:32 +0200
I've just read the answer Martin got last time he raised this issue.
Obviously distro-specific PAM will be a problem - but what would be nice
is that a distribution wanting to enable this feature can do this
easily. For this we would need mostly a GUI, since PAM files are anyway
written by the distros.
After thinking a little more, I though that maybe it would be more
logical and easier to add a checkbox in the users profiles in
users-admin (from gnome-system-tools) allowing to skip password check in
GDM/gnome-screensaver. This option would just write the username to a
file (/etc/gdm-nopasswd.list, /etc/nopasswd.list or so...).
Distributions would have to choose between updating pam.d conf files
accordingly so that this is working, or disabling/hiding this feature
(via a GConf key for example).
Adding this in GDM would require more work and an extended interface,
and moreover the per-user approach may be more friendly than configuring
the login screen (system-wide).
Any comments/criticisms? I'm contacting the g-s-t team to hear what they
think of it, and I CC the gdm-list.
------------------------------
_______________________________________________
system-tools-list mailing list
[email protected]
http://mail.gnome.org/mailman/listinfo/system-tools-list
End of system-tools-list Digest, Vol 38, Issue 1
************************************************
--
Click on WolfHalton.info and Speak Your Mind!
Of all things, good sense is the most fairly distributed: everyone thinks he is
so well supplied with it that even those who are the hardest to satisfy in
every other respect never desire more of it than they already have. -- René
Descartes - Discours de la Méthode
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now._______________________________________________
system-tools-list mailing list
[email protected]
http://mail.gnome.org/mailman/listinfo/system-tools-list
