Pitch: passwordless Debian
I wanted to pitch an idea for a wiki.debian.org set of pages and solicit feedback on the best way to go about researching and writing this documentation.
The collection idea is "How to set up a passwordless Debian environment." Passwordless as in *no passwords whatsoever*, as opposed to "Debian with 2FA" or "Packages that support autologin".
Yes, I know that there are a lot of moving parts here, and I also know that many packages don't support password alternatives.
One of the moving parts is picking passwordless technology. Off the top of my head (and I'm betraying my ignorance here), some major categories would be certificate-based, biometrics and, a little more in my interest, hardware-key-based authentication systems. Are there other common ones?
I'm guessing each technology will need its own subcategory because the mechanics differ somewhat. Then again, maybe a better categorisation would be by software package?
I've set up SSH passwordless, so that goes a long way. PAM *technically* supports password alternatives, but it struggles handling fallbacks. That is, I can set up "fingerprint THEN security key" but not "fingerprint OR security key" - one must fail before attempting the next, and only in the order in which they're specified. I've read that LUKS can support passwordless configurations and other fancy things like storing the key headers off system (which can turn any thumb drive into a poor man's security key). As a KDE user, Plasma kinda relies on PAM for authentication, but it handles non-password authentication poorly. I've heard somewhere that GNOME is a bit more progressive in its support.
The ulterior motive is that it might motivate package maintainers into supporting password alternatives.
Anyhow, that's my understanding of the overview. What do people think?
Reply to: