Consider using nullok instead of nullok_secure to allow for passwordless login feature
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
As part of the Security & Privacy panel in System Settings, mpt proposed allowing users to easily set their account to log in without a password. (This feature actually already exists in the User Accounts panel but it's a bit hard-to-discover). A user needs admin rights to set this option.
However setting this option breaks sudo and policykit authentication prompts.
mdeslaur believes this is because Ubuntu uses nullok_secure instead of nullok in the default pam configuration.
You can read the underlying conversation at http://
The mockup is at https:/
ProblemType: Bug
DistroRelease: Ubuntu 13.10
Package: libpam-modules 1.1.3-8ubuntu3
ProcVersionSign
Uname: Linux 3.10.0-2-generic x86_64
ApportVersion: 2.10.2-0ubuntu4
Architecture: amd64
Date: Thu Jul 11 11:37:47 2013
InstallationDate: Installed on 2013-06-14 (27 days ago)
InstallationMedia: Ubuntu-GNOME 13.10 "Saucy Salamander" - Alpha amd64 (20130613)
MarkForUpload: True
SourcePackage: pam
UpgradeStatus: No upgrade log present (probably fresh install)
The implications of using 'nullok' instead of 'nullok_secure' are that *all* services will allow passwordless access to the account, including remote services. It is not reasonable to use 'nullok' as a system-level setting, because this means, for instance, that if the user installs openssh-server, their machine can instantly be rooted remotely.
So pam is the wrong place to solve this. It seems to me that the system settings panel should instead directly manage a combination of lightdm, policykit, and sudo configuration options to enable passwordless access.