Brian Cameron wrote: >> Does the face browser need to read anything in the users home dir ? If >> so it must be disabled by default since it can cause a downgrade attack >> if the users home directory is supposed to be mounted with Kerberos by >> default (but can fall back to sys). We have gone to great lengths over >> the years to ensure that no login program ever touches the users home >> directory until after pam_authenticate() and pam_setcred() have returned >> PAM_SUCCESS. > > Yes, the user's image file is loaded from the user's $HOME directory > before authentication. Can't we save the image file along with the user info somewhere in the /var/log/ConsoleKit/history ?
Antonello
