Re: passwordless root login

To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: debian-user@lists.debian.org
Subject: Re: passwordless root login
From: Bijan Soleymani <bijan@psq.com>
Date: Wed, 15 Oct 2003 10:49:51 -0400
Message-id: <[🔎] 20031015144951.GA8657@server.crasseux.com>
In-reply-to: <[🔎] 20031014200221.GL27927@fieldses.org>
References: <[🔎] 20031012223032.GC7605@fieldses.org> <[🔎] 20031013195841.GA27316@server.crasseux.com> <[🔎] 20031014200221.GL27927@fieldses.org>

On Tue, Oct 14, 2003 at 04:02:22PM -0400, J. Bruce Fields wrote:
> Thanks, but with those lines removed I end up with all logins failing
> automatically and no request for a password.  This may be something that
> changed sometime between stable and unstable--I used to use a similar
> trick to allow local gdm logins without a password, but that stopped
> working at some point--I think the pam stuff has changed a bit.

I also use unstable. And I have rigged gdm not to check for passwords.
For gdm you have to use the pam_permit module or something like that
which just gives the application an ok when it asks for (password)
authentication.

I've attached my /etc/pam.d/login and /etc/pam.d/gdm files

Bijan
-- 
Bijan Soleymani <bijan@psq.com>
http://www.crasseux.com

#
# The PAM configuration file for the Shadow `login' service
#
# NOTE: If you use a session module (such as kerberos or NIS+)
# that retains persistent credentials (like key caches, etc), you
# need to enable the `CLOSE_SESSIONS' option in /etc/login.defs
# in order for login to stay around until after logout to call
# pam_close_session() and cleanup.
#

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth       requisite  pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# This module parses /etc/environment (the standard for setting
# environ vars) and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# (Replaces the `ENVIRON_FILE' setting from login.defs)
auth       required   pam_env.so

# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
#auth       required   pam_unix.so nullok

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please uncomment and edit /etc/security/group.conf if you
# wish to use this.
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
# auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Standard Un*x account and session
account    required   pam_unix.so
session    required   pam_unix.so

# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
# session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You
# can also enable a MAIL environment variable from here, but it
# is better handled by /etc/login.defs, since userdel also uses
# it to make sure that removing a user, also removes their mail
# spool file.
session    optional   pam_mail.so standard noenv

# The standard Unix authentication modules, used with NIS (man nsswitch) as
# well as normal /etc/passwd and /etc/shadow entries. For the login service,
# this is only used when the password expires and must be changed, so make
# sure this one and the one in /etc/pam.d/passwd are the same. The "nullok"
# option allows users to change an empty password, else empty passwords are
# treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords the same way that
# `MD5_CRYPT_ENAB' would do under login.defs).
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.

password   required   pam_unix.so nullok obscure min=4

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5

#%PAM-1.0
auth     required       pam_nologin.so
auth     required       pam_env.so
#auth     required       pam_unix_auth.so
auth 	required	pam_permit.so
account  required       pam_unix_acct.so
#password required       pam_unix_passwd.so shadow
session  required       pam_unix_session.so
session  required	pam_limits.so

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- passwordless root login
  - From: "J. Bruce Fields" <bfields@fieldses.org>
- Re: passwordless root login
  - From: Bijan Soleymani <bijan@psq.com>
- Re: passwordless root login
  - From: "J. Bruce Fields" <bfields@fieldses.org>

Prev by Date: Re: speedy spam
Next by Date: Re: sa-exim: What user does spamassassin run as?
Previous by thread: Re: passwordless root login
Next by thread: Re: passwordless root login
Index(es):
- Date
- Thread