Bug#501849: Please permit installation with an empty user password - Debian

This is a discussion on Bug#501849: Please permit installation with an empty user password - Debian ; Emmet Hikory wrote: > I "really, really" wanted to do it to ease working with tools that > request graphical sudo authentication for devices that didn't have > keyboards. Yes, this is pointlessly insecure, and yes, there are input > ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Bug#501849: Please permit installation with an empty user password

  1. Bug#501849: Please permit installation with an empty user password

    Emmet Hikory wrote:
    > I "really, really" wanted to do it to ease working with tools that
    > request graphical sudo authentication for devices that didn't have
    > keyboards. Yes, this is pointlessly insecure, and yes, there are input
    > tools that can be used in some cases, but these tend to be fairly
    > cumbersome.


    Otavio Salvador wrote:
    > I believe it is a nice option to be supported, even more that the
    > Debian Embedded effort is starting to be integrated on the
    > distribution.


    I can only see the point of this to some extend for some embedded devices.
    In general I would expect that embedded devices will require much more
    customization than just having the user password unset.

    Even stronger. For embedded devices with a graphical user interface I
    would expect that probably no login to the graphical user interface would
    be required (i.e. customization of display manager or of the way X.Org is
    started), and possibly that passwordless use of sudo would be allowed.
    But I also would expect the actual user ID still to be protected with a
    password, especially as a lot of these devices will have networking and
    thus do need fairly strong protection for external access.

    So I'm personally still not really convinced of the real value of this
    option, but will also not block its inclusion if other feel that it
    really is useful. But of course only if the implementation is sane, so my
    other comments would still need to be addressed.

    Please make sure that the installation guide explicitly warns that using
    the option will result in an insecure system!

    Emmet Hikory wrote:
    > Unless I misunderstand the purpose of the other internal use
    > templates in user-setup (which is quite possible), I suspect these
    > issues also need to be addressed for several existing templates. My
    > apologies for this error.


    Yes, you are right. Other templates in user-setup also don't follow the
    general "standard". See for example apt-setup or localechooser for
    "correct" examples.
    It's best to follow the style used in user-setup (unless you want to also
    provide a separate patch to fix existing templates in user-setup).

    Cheers,
    FJP



    --
    To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  2. Bug#501849: Please permit installation with an empty user password

    On Mon, 2008-10-13 at 09:26 +0200, Frans Pop wrote:
    > Emmet Hikory wrote:
    > > I "really, really" wanted to do it to ease working with tools that
    > > request graphical sudo authentication for devices that didn't have
    > > keyboards. Yes, this is pointlessly insecure, and yes, there are input
    > > tools that can be used in some cases, but these tend to be fairly
    > > cumbersome.

    >
    > I can only see the point of this to some extend for some embedded
    > devices.

    [..]
    > and possibly that passwordless use of sudo would be allowed.
    > But I also would expect the actual user ID still to be protected with
    > a password, especially as a lot of these devices will have networking
    > and thus do need fairly strong protection for external access.


    Yep. I am not sure that all network services in Debian have a "null
    password not ok" policy, * la pam_unix. (remember Win2K? )

    BTW, Gnome's gdm allows autologon. Also something like "pam_succeed_if
    uid=1000" or equivalent may achieve the expected behaviour.


    Franklin




    --
    To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

+ Reply to Thread