Re: [Bug 104957] Re: users with no password can't log in with gdm
On 2 November 2011 01:41, Michael Basse <104...@bugs.launchpad.net> wrote: > why should it be a bug instead of a security-feature? Because the policy defined in /etc/securetty for local graphical terminals is inconsistent with the policy defined there for local text terminals, and because the lack of wildcard support in the code that parses /etc/securetty will continue to cause surprises for users whose local ttys don't fit one of the device/display names defined explicitly there. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/104957 Title: users with no password can't log in with gdm To manage notifications about this bug go to: https://bugs.launchpad.net/gdm/+bug/104957/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 104957] Re: users with no password can't log in with gdm
Thanks for agreeing with me on this case On Wed, 2009-08-19 at 20:14 +, Steve Langasek wrote: > Well in that case, I'm marking the gdm Ubuntu task as invalid. The > Debian shadow maintainer has agreed that /etc/securetty should mark > these X displays as trusted. This hasn't entirely been implemented yet > since fusa jumps straight to :20 as its next display number and > /etc/securetty only goes up to :3 currently, so this still needs to be > implemented (either by supporting wildcards in pam or by listing out all > the displays in /etc/securetty), but in either case no code can or > should be changed in gdm for this. > > ** Changed in: gdm (Ubuntu) >Status: Fix Committed => Invalid > > ** Changed in: pam (Ubuntu) >Importance: Undecided => Medium > -- users with no password can't log in with gdm https://bugs.launchpad.net/bugs/104957 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 104957] Re: users with no password can't log in with gdm
On Sun, May 10, 2009 at 05:32:33AM -, Flabdablet wrote: > 2009/5/9 Mantas Kriaučiūnas : > > way to solve password-less local login bug by adding lines bellow to > > /etc/shadow is correct > > They need to be added to /etc/securetty, not /etc/shadow. Yes, to /etc/securetty - this file is in login package, which builds from shadow sources - I wanted to write /etc/securetty but by mistake wrote /etc/shadow ;) -- Labanaktis/Good luck, Mantas Kriaučiūnas Jabber ID: man...@akl.ltGPG ID: 43535BD5 Public organization "Open Source for Lithuania" - www.akl.lt Naudok Baltix GNU/Linux sistemą savo kompiuteryje - http://baltix.lt -- users with no password can't log in with gdm https://bugs.launchpad.net/bugs/104957 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 104957] Re: users with no password can't log in with gdm
2009/5/9 Mantas Kriaučiūnas : > I've assigned this bug to shadow (login) packages, because according to > latest comments from Flabdablet and steve.langa...@canonical.com the > way to solve password-less local login bug by adding lines bellow to > /etc/shadow is correct They need to be added to /etc/securetty, not /etc/shadow. -- users with no password can't log in with gdm https://bugs.launchpad.net/bugs/104957 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 104957] Re: users with no password can't log in with gdm
On Wed, Mar 4, 2009 at 10:25 AM, Steve Langasek wrote: > I don't know if the display names always belong to local X servers; > answering that question would go a long way to help resolve this bug. OK. I just tested this by turning on XDMCP on the desktop box (192.168.119.2), and logging in from my laptop (192.168.119.5). From the laptop, attempting to log in as visitor fails, and when I subsequently log in as stephen and check /var/log/auth.log, I see that the failed visitor login has caused access denied: tty '192.168.119.5:3' is not secure ! So it looks like the names that PAM sees will in fact have a prepended hostname if they are X displays running remote. On that basis, I'm perfectly happy just to tack # Local X displays :0 :0.0 :1 :1.0 :2 :2.0 :3 :3.0 ... :63 :63.0 onto the end of /etc/securetty for my own use, and can see no real reason why this shouldn't be done as a distro default. Looks to me like the routines that parse /etc/securetty might benefit from some kind of wildcard support, though. That would make things much easier for anybody who actually wanted to turn on some password-free logins via a room full of thin clients. I can see a use for this in a classroom or public library, for example. -- users with no password can't log in with gdm https://bugs.launchpad.net/bugs/104957 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 104957] Re: users with no password can't log in with gdm
On Thu, Jul 31, 2008 at 08:34:43AM -, Sebastien Bacher wrote: > > Do xdmcp and the standard greeter declare separate PAM service names? > not that I know no but I'm not a pam expert and you might want to look > at the code to make sure that's not the case The gdm code does the following to decide what service name to use: pam_stack = gdm_daemon_config_get_value_string_per_display (GDM_KEY_PAM_STACK, (char *)d->name); So it looks up the service name on a per-display basis. If the mapping of display names for xdmcp is normally static, it's still simpler to add the "trusted" local displays to /etc/securetty instead of munging the PAM config, I think. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- users with no password can't log in with gdm https://bugs.launchpad.net/bugs/104957 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 104957] Re: users with no password can't log in with gdm
On Wed, Jul 30, 2008 at 10:13:01PM -, Sebastien Bacher wrote: > the xdmcp browser and standard login greeter are different interface so > it would probably be possible to special cases non password local logins > if somebody really wants to work on this nonsecure option Do xdmcp and the standard greeter declare separate PAM service names? Otherwise it's still not practical to do this by default without introducing a security hole, because unless the two can be distinguished by "tty" (i.e., X display) values, the PAM behavior is going to be either insecure, or block out this use case. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- users with no password can't log in with gdm https://bugs.launchpad.net/bugs/104957 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs