Am 19.06.2011 13:43, schrieb Stefan Seyfried:

Sorry, but this is bullshit.

If you just clicked "next", then you also did not password-protect your GRUB setup and did not encrypt your $HOME.

So people can get at your files regardless of the users password. They'll simply boot with "init=/bin/sh", remove the root password and eat your cake.

Hm, maybe I should explain my situation more: I ordered a new PC with openSUSE preinstalled. So, the people at the computer shop installed openSUSE and just clicked on "Next" when it appears. So, the create a user, and give them a password. The default openSUSE installation logs in the user idiomatically. I think *that´s* the problem. This should be fixed. thanks -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Le 19/06/2011 17:25, Stefan Seyfried a écrit :

Well, and if it did not log the user in automatically, then I'd simply boot the box with "init=/bin/bash" and eat your cake anyway.

the problem is not protection against computer addicts, but simply family or childs that can read your mail or disturb your config, like any windows do jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Sunday 19 June 2011 17:54:23 Kim Leyendecker wrote:

Am 19.06.2011 17:33, schrieb jdd:

...

the problem is not protection against computer addicts, but simply family or childs that can read your mail or disturb your config, like any windows do

+1 That´s the purpose of my request. Most OS'es auto-login when you have a single user configured. If you configure more than one user, it shouldn't auto-login. Then, if you have a family who might use your computer, simply configure accounts for them and the problem is solved.

I'm not sure if openSUSE already does this (not auto-login if you have multiple users) but in any case, I think this issue has arguments in both directions and I don't think we can solve it over a ML.

Sid Boyce wrote:

On 19/06/11 16:33, jdd wrote:

...

Le 19/06/2011 17:25, Stefan Seyfried a écrit :

...

Well, and if it did not log the user in automatically, then I'd simply boot the box with "init=/bin/bash" and eat your cake anyway.

the problem is not protection against computer addicts, but simply family or childs that can read your mail or disturb your config, like any windows do

jdd

I've had 2 instances where granddads gave their passwords to their little wonders and it was to their surprise what the kids destroyed. I set up new accounts for the kids and asked the guys to make sure no one knew their own new passwords and write the kids' passwords up in bold letters.

I've had kids on Linux desktops since age 4-5 - my own, the neighbours, friends etc. They have all been trained to type a password (even if it was just their own name). It works fine and it sets a precedent. -- Per Jessen, Zürich (16.6°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On 2011/06/19 17:15 (GMT+0200) Kim Leyendecker composed:

I ordered a new PC with openSUSE preinstalled. So, the people at the computer shop installed openSUSE and just clicked on "Next" when it appears. So, the create a user, and give them a password. The default openSUSE installation logs in the user idiomatically. I think *that´s* the problem. This should be fixed.

Until such time as this may get fixed, have the shop _not_ configure _any_ users at all except root (not possible in all distros, but quite possible in openSUSE). When you get it from the shop, log in as root, create user(s), and configure login behavior as you please. It's been years since I let YaST create any users other than root. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Andreas Jaeger writes:

On Sunday, June 19, 2011 21:31:00 Felix Miata wrote:

...

On 2011/06/19 17:15 (GMT+0200) Kim Leyendecker composed:

...

I ordered a new PC with openSUSE preinstalled. So, the people at the computer shop installed openSUSE and just clicked on "Next" when it appears. So, the create a user, and give them a password. The default openSUSE installation logs in the user idiomatically. I think *that´s* the problem. This should be fixed.

Until such time as this may get fixed, have the shop _not_ configure _any_ users at all except root (not possible in all distros, but quite possible in openSUSE). When you get it from the shop, log in as root, create user(s), and configure login behavior as you please.

And use the first-boot stuff from YaST to create users at the first time the system gets booted up...

http://en.opensuse.org/YaST_Firstboot ? I very much like the fact that some computer shops preinstall openSUSE, and that they just need to learn how to do it the right way. Any ideas how we can make it simpler for these great openSUSE preinstallers to give end users a smooth yast firstboot experience? Is there a point in here where we could point to information for weird corner case installations, like diskless, shared /usr, preinstall? http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-reference/cha.in... Or how do we prevent shop owners to give users an irritating first impression of openSUSE? S. -- Susanne Oberhauser SUSE LINUX Products GmbH +49-911-74053-574 Maxfeldstraße 5 Processes and Infrastructure 90409 Nürnberg GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Stefan Seyfried wrote:

Am Tue, 21 Jun 2011 12:52:16 +0200 schrieb Susanne Oberhauser :

...

Or how do we prevent shop owners to give users an irritating first impression of openSUSE?

Maybe the installer could just have a radiobox selection

(*) use automatic configuration ( ) manual configuration ( ) configure on first boot (preloaded system)

The "use automatic configuration" checkbox is already somewhere in there...

Just playing devils advocate - isn't this yet another corner case? How many PCs are being sold with openSUSE pre-installed by inexperienced MediaMarkt assistants? -- Per Jessen, Zürich (20.6°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Am 22.06.2011 10:16, schrieb Jos Poortvliet:

Crazy idea: maybe someone feels like building a "pre-load ISO" in suse studio :D

If it's good enough we could easily promote that on our download site.

I think it´s not a so crazy idea. It looks really interesting, quite frankly. The only question is: How? *Should we package the standard software like the DVD version does? *Or create two live CDs? *Or make something totally different up with the software the user want? What do you think. If it becomes more detailed, I´m in. thanks in advance -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Am 22.06.2011 21:21, schrieb Jos Poortvliet:

I think it should be as 'standard' as possible, just with this change. Then anyone could easily clone it and make their own, like the dutch Hettes.nl I blogged about earlier.

James Mason did a standard-live-CD with SUSE Studio AFAIK. I will clone his appliance and create a preloaded iso. thanks -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Am 22.06.2011 22:27, schrieb Jos Poortvliet:

Awesome. Now, the q is - how do we promote it, where can we put this so the right people (those looking for something like this) find it?

*news.o.o *software.opensuse.org/oem/*language as an example *contacting some computer magazines / Linux magazines *contacting some OEM sellers Would be my key points on promotion. Of course it also needs some love on the wiki. Maybe a OEM´s corner or something like this. thanks -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Kim Leyendecker wrote:

Am 22.06.2011 22:44, schrieb Kim Leyendecker:

...

Am 22.06.2011 22:27, schrieb Jos Poortvliet:

...

Awesome. Now, the q is - how do we promote it, where can we put this so the right people (those looking for something like this) find it?

*news.o.o *software.opensuse.org/oem/*language as an example *contacting some computer magazines / Linux magazines *contacting some OEM sellers

Would be my key points on promotion. Of course it also needs some love on the wiki. Maybe a OEM´s corner or something like this.

thanks

The iso was built. See here:

http://susegallery.com/a/3wzSxT/opensuse-oem-edition

Requires login to download? -- Per Jessen, Zürich (16.1°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Sun, 2011-06-19 at 13:43 +0200, Stefan Seyfried wrote:

Am Sun, 19 Jun 2011 11:28:36 +0200 schrieb Kim Leyendecker :

...

In the installer of openSUSE 11.4 (and I guess also in 11.3, 11.2 and 11.1) the toolbox "log in with this user automaticly" or something like this is choosen as default. That means, if you just click on "next" during installation, you will auto log in with your user, when you start your system. This happens without any password-check. This might be good for people who just want to work with their PC and don´t think about the system. But it´s a big security risk. Think of you got personal files on your harddrive, and your user is logged-in automaticly. Now, other people can easy get access to your /home dir. They just need to start your PC. So, please, disable this by default!

To drop a potential security lack

Sorry, but this is bullshit.

If you just clicked "next", then you also did not password-protect your GRUB setup and did not encrypt your $HOME.

So people can get at your files regardless of the users password. They'll simply boot with "init=/bin/sh", remove the root password and eat your cake.

...

To care about the user´s security

The user password has not that much to do with security.

Also auto-login is rather useful when using LUKS encryption - the encryption key is needed for booting, so the user password - which may (should?) be different - is only a secondary protection such as with a screen-saver lock. I find it very useful to log me in automatically when set up this way e.g. on the net-book that I'm using now. -- Cheers Richard (MQ) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Sun, Jun 19, 2011 at 11:23:12AM -0400, Cristian Rodr?guez wrote:

El 19/06/11 07:43, Stefan Seyfried escribió:

...

Sorry, but this is bullshit.

Yep, pretty much, Im not buying this argument at all.

...

The user password has not that much to do with security.

In short for "local security" the user password matters a royal damn.

If you do not encrypt the hard-disk, add bootloader passsword, and keep the computer in a safe location, the battle, is lost. RIP.

For remote auth, you must use ssh keys or similar, otherwise you are at the mercy of bruteforce attacks, that one is another lost battle btw.

It's not all about airtight security: It's there to let people know that you do not want them to access your computer. For home use, think of a locked drawer: Of course your family members may be able to get a lockpick and unlock the drawer or use a crowbar to force it open - but in an intact family that is not what will happen. So defaulting the install to ask for a password is the right thing to do, although it is a weak security measure it is a perfecly valid "social protection". Ciao Joerg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On 06/19/2011 12:29 PM, Kim Leyendecker pecked at the keyboard and wrote:

Am 19.06.2011 17:23, schrieb Cristian Rodríguez:

...

In short for "local security" the user password matters a royal damn.

If you do not encrypt the hard-disk, add bootloader passsword, and keep the computer in a safe location, the battle, is lost. RIP.

For remote auth, you must use ssh keys or similar, otherwise you are at the mercy of bruteforce attacks, that one is another lost battle btw.

Well, that isn´t the point. If you really want to crack some other´s PC, you´ll find a method, pretty sure. It´s just, when you install a system, with an automatically log in, and you need to log in as root for any odd reason you have, it might be difficult (Yeah, you can log in over shell and so on, but it´s just *easier* to do it right know via kdm or gdm).

Than, if you use one PC togehter with, let me say, 4 people and 4 user accounts. So, user 1 get automatically logged-in. And the other? they need to log in via shell. That isn´t optimal at all.

So, why not change to a manual log in. Why not? It´s more secure in the case, that there´s someone other in your family, who wants to change your files, or just read them (this could be happen.).

The question is not: "Why should we do it?" It´s just "Why *shouldn´t* we do it?"

thanks

Since none of the other people want to help and only argue the merits try the following: start "Personal Settings" (in KDE) "System Administration" "Login Screen" "Convience" tab and uncheck the auto login selection. Then you will get the normal login prompt when kdm starts. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

fyi only - related to legal issues: IANAL, but I've been told that in the USA if a family computer has no password, then there is no right to privacy. If the computer does have a password, then there is. (At least as regards adults. Children don't have a right to privacy from their parents.). So while the password may not offer much if any technical security, it establishes legal security by making it a crime for another family member to bypass it. Note that in the US most corporations have a legal disclaimer that states they own all the data and the user has no right to privacy. Thus a corporate IT person or investigator is within their legal rights to ignore the presence of a password. I am NOT saying this argues one way or the other for the default, but I wanted to highlight that having a password is more than just a weak security issue. Greg -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2011-06-19 21:02, Cristian Rodríguez wrote:

El 19/06/11 14:31, Greg Freemyer escribió:

...

fyi only - related to legal issues:

IANAL, but I've been told that in the USA if a family computer has no password, then there is no right to privacy.

Passwords are designed for authorization purposes, nothing to do with privacy.

What you think as a technical person has nothing to do with what law makers in the USA (or elsewhere) think - or worse, mandate. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk3+ZzsACgkQtTMYHG2NR9UtMQCdE1f5U3GcdpwFpzM9kNkWmbYi NPYAn17V1fph/3qV+r0Oaqcqv75ZtCF9 =Rp1J -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Markus Slopianka wrote:

...

So, why not change to a manual log in. Why not? It´s more secure in the case, that there´s someone other in your family, who wants to change your files, or just read them (this could be happen.).

The question is not: "Why should we do it?" It´s just "Why *shouldn´t* we do it?"

If there is only a single user account present, logging in automatically is better usability.

Autologin allows the system to fully boot up incl. to connect to WLANs and not stop at KDM. During boot one can leave the room.

If more than one account is created, the account manager should ask to disable autologin.

Seriously, you are just a corner case and corner cases like you can be bothered to untick a little checkbox once.

I would tend to agree with that - I untick that box by default myself on every install, it's virtually automatic. It's a bit of a trade-off, usability vs. security. Or how many installations are single-user vs. multi-user. In principle I agree with Kims proposal, but in practice it's a non-issue.

If you really want that rudimentary security, a way better option is to enable autologin but then set the option to automatically lock the screen after login. That way the system loads completely (incl. network connections) and your corner case is still solved.

Or automatically disable the auto-login when the next user is defined. (i.e. when the systems goes from single- to multi-user.) -- Per Jessen, Zürich (16.6°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Stefan Seyfried wrote:

Am Sun, 19 Jun 2011 20:50:29 +0200 schrieb Per Jessen :

...

Or automatically disable the auto-login when the next user is defined. (i.e. when the systems goes from single- to multi-user.)

Once you turn on networked auth (NIS at least, but I think also for LDAP), YaST pops up a window telling you that autologin is enabled for user "foo" and asks if you want to disable that.

A similar thing when adding a user with the YaST user module would be good and probably it would not be that much work to implement (worst case would be to steal the code from the networked auth module).

YaST basically does that ever since the autologin features was implemented in 2003. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Mon, 20 Jun 2011 15:28:06 +0530, Stefan Seyfried wrote:

Hm, maybe I should finally use YaST instead of "useradd" to add a new user So I don't understand what the whining in this thread is all about...

it's about if those who want auto-login have to click an extra option during install, or the other ones. highly important matter, of course... -- phani. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Mon, 20 Jun 2011 19:58:03 +0530, Ken Schneider - openSUSE wrote:

On 06/20/2011 08:13 AM, phanisvara das pecked at the keyboard and wrote:

...

On Mon, 20 Jun 2011 15:28:06 +0530, Stefan Seyfried wrote:

...

Hm, maybe I should finally use YaST instead of "useradd" to add a new user So I don't understand what the whining in this thread is all about...

it's about if those who want auto-login have to click an extra option during install, or the other ones. highly important matter, of course...

NO! The OP asked how to turn it off on a system that came pre-installed with openSUSE. He did not ask for other peoples opinion on why it is one way or another.

not correct. the OP, Kim Leyendecker, asked for the default behavior of openSUSE to be changed; he did not ask for info. how to change it afterwards. -- phani. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On 06/20/2011 11:50 AM, Kim Leyendecker pecked at the keyboard and wrote:

Am 20.06.2011 17:35, schrieb phanisvara das:

...

not correct. the OP, Kim Leyendecker, asked for the default behavior of openSUSE to be changed; he did not ask for info. how to change it afterwards.

right.

My apologies for the error, but I do remember it being asked.

I asked if it could be changed to the non-auto-log-in case, so that you need to give on your password when you´re locking in.

In general it should be just a present for such *stupid* computer-dealers like my one was, who are only click on next and present it as your installed system.

I think 99% of our users who didn´t care if the log in is automatically by default. But these 1% who care are still their. And I dare to say that these 99% also didn´t care if they suddenly should give on their password, whereas the 1% are lucky with the change, so that, in the best case, 100% are still lucky about their system.

So, what speaks against changing the default choose? :-)

-- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Per Jessen wrote:

Kim Leyendecker wrote:

...

Am 20.06.2011 17:35, schrieb phanisvara das:

...

not correct. the OP, Kim Leyendecker, asked for the default behavior of openSUSE to be changed; he did not ask for info. how to change it afterwards.

right.

I asked if it could be changed to the non-auto-log-in case, so that you need to give on your password when you´re locking in.

In general it should be just a present for such *stupid* computer-dealers like my one was, who are only click on next and present it as your installed system.

I think 99% of our users who didn´t care if the log in is automatically by default. But these 1% who care are still their. And I dare to say that these 99% also didn´t care if they suddenly should give on their password, whereas the 1% are lucky with the change, so that, in the best case, 100% are still lucky about their system.

So, what speaks against changing the default choose? :-)

It seems to me that the current setup is a good compromise and probably needs no change. For a personal single-user machine, auto-login may be bad security practice, but it's good for usability. The minute the machine goes multi-user (via yast), the owner/admin is alerted about the auto-login and offered to disable it.

Logging in as root would be bad security practice. The autologin is irrelevant as long as you don't also lock down your BIOS¹ and boot loader and make sure that other OS can't access the Linux partition. That still doesn't help against an attacker that can open the casing though. So if you are concerned about privacy use disk encryption. You can even combine that with autologin to avoid having to type two passwords at boot. An argument that was not brought up in this discussion was password strength. I'd argue that having autologin decreases the chance of users picking silly but easy to type passwords like "12345". Fortunately that's not so much of a concern nowadays anymore with sshd off and firewall on by default though. So IMO having autologin on is a nice feature. Nevertheless there is room for further improvements: - lock down the bootloader by default. Maybe grub could be made to read the root password from /etc/shadow to avoid having yet another one. - allow to have local only accounts. Such users do not need a password at all. Only the display manager should be allowed to log them in. Ie no ssh, even if sshd is on for other accounts. - allow to map LUKS key slots to user names so the system would log in different users automatically depending on the passphrase that was typed to unlock the encrypted disk. cu Ludwig [1] BIOSes used to have master passwords though so locking down the BIOS actually doesn't work. I don't know if that's still the case on modern machines though. -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Monday 20 June 2011 17:50:52 Kim Leyendecker wrote:

Am 20.06.2011 17:35, schrieb phanisvara das:

...

not correct. the OP, Kim Leyendecker, asked for the default behavior of openSUSE to be changed; he did not ask for info. how to change it afterwards.

right.

I asked if it could be changed to the non-auto-log-in case, so that you need to give on your password when you´re locking in.

In general it should be just a present for such *stupid* computer-dealers like my one was, who are only click on next and present it as your installed system.

I think 99% of our users who didn´t care if the log in is automatically by default. But these 1% who care are still their. And I dare to say that these 99% also didn´t care if they suddenly should give on their password, whereas the 1% are lucky with the change, so that, in the best case, 100% are still lucky about their system.

So, what speaks against changing the default choose? :-) Shoot in an openFATE feature, I'd say. I think the auto-login is convenient for the average home user, but I don't care much - I'll enable it myself (with auto lock after login of course) if I have to.

* jdd [06-20-11 17:58]:

Le 20/06/2011 22:56, Jos Poortvliet a écrit :

...

for the average home user, but I don't care much - I'll enable it myself (with auto lock after login of course) if I have to.

how do you manage this?

systemsettings --> login screen --> convenience --> uncheck "enable auto-login" -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

* Ista Zahn [06-20-11 19:01]:

...

systemsettings --> login screen --> convenience --> uncheck "enable auto-login"

Does that actually work for you? It doesn't for me (I have to set it in YaST as I described earlier in this thread).

...

-- (paka)Patrick Shanahan       Plainfield, Indiana, USA      HOG # US1244711 http://wahoo.no-ip.org        Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org                           openSUSE Community Member Registered Linux User #207535                      @ http://counter.li.org -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

-- Ista Zahn Graduate student University of Rochester Department of Clinical and Social Psychology http://yourpsyche.org -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

I don't know. I don't use auto-log-in, but knew of the existance above and *assumed* it just worked as all my other linux apps do :^) -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Tuesday 21 June 2011 07:55:17 jdd wrote:

Le 21/06/2011 00:43, Patrick Shanahan a écrit :

...

* jdd [06-20-11 17:58]:

...

Le 20/06/2011 22:56, Jos Poortvliet a écrit :

...

for the average home user, but I don't care much - I'll enable it myself (with auto lock after login of course) if I have to.

how do you manage this?

systemsettings --> login screen --> convenience --> uncheck "enable auto-login"

this I know (works with yast), but how can I make the system immediately lock after boot (and keep the usual lock delay after use)

thanks jdd

I believe I just went to the above systemsettings and configured it there...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/20/2011 11:50 AM, Kim Leyendecker wrote:

Am 20.06.2011 17:35, schrieb phanisvara das:

...

not correct. the OP, Kim Leyendecker, asked for the default behavior of openSUSE to be changed; he did not ask for info. how to change it afterwards.

right.

I asked if it could be changed to the non-auto-log-in case, so that you need to give on your password when you´re locking in.

In general it should be just a present for such *stupid* computer-dealers like my one was, who are only click on next and present it as your installed system.

I think 99% of our users who didn´t care if the log in is automatically by default. But these 1% who care are still their. And I dare to say that these 99% also didn´t care if they suddenly should give on their password, whereas the 1% are lucky with the change, so that, in the best case, 100% are still lucky about their system.

So, what speaks against changing the default choose? :-)

I do. It's what users expect coming from other systems. I use autologin on my workstation and like it. I'd rather it not change. Conducting a simple vote on opensuse-factory based on personal preferences is not going to work for usability issues. The simple fact is that the vast majority of our users aren't on this list and the participants on this list tend to be more technically inclined. - -Jeff - -- Jeff Mahoney SuSE Labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk4A5S4ACgkQLPWxlyuTD7KpAwCffisclpsiE72Cu1bJkqMi5FNs h4UAnREA6k3SddwT0hpIIshJHZSoYp4h =vZdn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Le 22/06/2011 07:37, Per Jessen a écrit :

Jeff Mahoney wrote:

...

Conducting a simple vote on opensuse-factory based on personal preferences is not going to work for usability issues. The simple fact is that the vast majority of our users aren't on this list and the participants on this list tend to be more technically inclined.

That is probably the most important point made in this thread so far.

yes. And we have to educate users for good practices. Even wibndows users are now incited to use passwd (and I have to admit that using passwd protected windows system is more and more easy), so why mimic obsolete practice? In fact Linux has good practice and other system join us when we try to copycat old bad practices. Pretty funny jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On 19/06/11 19:07, Markus Slopianka wrote:

...

So, why not change to a manual log in. Why not? It´s more secure in the case, that there´s someone other in your family, who wants to change your files, or just read them (this could be happen.).

The question is not: "Why should we do it?" It´s just "Why *shouldn´t* we do it?" If there is only a single user account present, logging in automatically is better usability.

Better than having the extremely onerous task of entering a few additional keystrokes - I'll have to sleep on that one for a few years.

Autologin allows the system to fully boot up incl. to connect to WLANs and not stop at KDM. During boot one can leave the room.

All that is accomplished in runlevel 3, so I don't see what great benefit is gained - even life and death surgery has to wait until the ambulance has arrived, patient transported to theatre and the surgeon scubs up, dons his apron and gloves and considers how to proceed.

If more than one account is created, the account manager should ask to disable autologin.

Seriously, you are just a corner case and corner cases like you can be bothered to untick a little checkbox once. If you really want that rudimentary security, a way better option is to enable autologin but then set the option to automatically lock the screen after login. That way the system loads completely (incl. network connections) and your corner case is still solved. No corner case, no significant loss of time, no death resulting and no chance of a malpractice suit. Automatically log in in a work setting and you could lose a promising career. I have had people at work trying to guess my password. I went to do some work on a relative's Linux box and needed ssh access to my box at home to download some files if needed. A day later I remembered that ssh was still allowed through my smoothwall firewall box and the logs were full of password cracking attempts. Slack practices breed insecurity. Regards Sid.

-- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Senior Staff Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Am Tue, 21 Jun 2011 14:47:13 -0400 schrieb Jeff Mahoney :

I'm not sure how this is germane to the discussion. The accounts with autologin aren't passwordless and those defaults are already in lock-down mode.

Off-topic: the most secure password for SSH login is the empty one: ...because sshd default config forbids login with empty password :-) -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Am Wed, 22 Jun 2011 01:14:32 +0200 schrieb Christian Boltz :

Hello,

on Dienstag, 21. Juni 2011, Jeff Mahoney wrote:

...

...

On 19/06/11 19:07, Markus Slopianka wrote:

...

Autologin allows the system to fully boot up incl. to connect to WLANs and not stop at KDM. During boot one can leave the room. ... Not with NetworkManager enabled, which depends on the applet for

On 06/19/2011 03:10 PM, Sid Boyce wrote: per-user configuration.

Yes, that's one of the reasons why I don't like NM :-(

Would it be possible to "cache" the last used connection and (try to) use this connection again at the next boot, even if nobody is logged in yet? (And also not to disconnect after logout?)

I guess that's what that "Available to all users" checkbox in nm-connection-editor is for? (Never tried it, but it certainly looks like "make the connection stored in system-wide storage")

- network available to boot scripts (ntpd has a "nice" timeout at boot if the network/internet is not reachable)

ntpd simply needs a trigger on "network up" event. I did this with a dispatcher script.

- network is available for sure when the user logs in (think of KMail in autostart, and having it configured to fetch mails at startup - with NM this can be a nice race condition)

Complain to the KMail developers if it does not honor network state notifications. Claws-Mail and pidgin go offline if my connection is offline and don't bother me with errors.

What do you think about this idea?

I think it's all already there. -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Tuesday 21 Jun 2011 20:47:13 Jeff Mahoney wrote:

...

Better than having the extremely onerous task of entering a few additional keystrokes - I'll have to sleep on that one for a few years.

...

Autologin allows the system to fully boot up incl. to connect to WLANs and not stop at KDM. During boot one can leave the room.

All that is accomplished in runlevel 3, so I don't see what great benefit is gained - even life and death surgery has to wait until the ambulance has arrived, patient transported to theatre and the surgeon scubs up, dons his apron and gloves and considers how to proceed.

Not with NetworkManager enabled, which depends on the applet for per-user configuration.

NM 0.9 does not depend on the applet for per-user configuration any more - it is all pushed into the daemon, controlled by polkit. Will -- Will Stephenson, openSUSE Team SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Le 19/06/2011 20:07, Markus Slopianka a écrit :

If there is only a single user account present, logging in automatically is better usability.

and teach extremely bad practice. Even on a one user copputer, allowing anybody passing by to read the content or simply use the computer without asking, trash the config... That's exactly what makes the difference between Windows and Linux: Windows allows all but soon fails to work, Linux ask for some effort but works for ever jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

El 19/06/11 16:24, jdd escribió:

Le 19/06/2011 20:07, Markus Slopianka a écrit :

...

If there is only a single user account present, logging in automatically is better usability.

and teach extremely bad practice.

You are trying to solve an edge-case, a problematic human behavior with technology that is not designed for that task. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/19/2011 07:12 PM, Anders Johansson wrote:

On Sunday 19 June 2011 16:46:03 Cristian Rodríguez wrote:

...

El 19/06/11 16:24, jdd escribió:

...

Le 19/06/2011 20:07, Markus Slopianka a écrit :

...

If there is only a single user account present, logging in automatically is better usability.

and teach extremely bad practice.

You are trying to solve an edge-case, a problematic human behavior with technology that is not designed for that task.

Are you really arguing for doing what windows 98 did, when even windows XP defaults to making you log in?

I wouldn't use Windows as a shining example of usability either. MacOS does autologin when there is only one user defined and offers to disable it when there are multiple users defined. - -Jeff - -- Jeff Mahoney SuSE Labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk4A55YACgkQLPWxlyuTD7In7wCfcjoeIno3Iwuo6ExwjYs/tya8 nqAAn31BkAaqvDFNyyeGaW1aCALvBcD7 =ut1k -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Tuesday, June 21, 2011 05:44:13 PM jdd wrote:

so just because others do silly things, we have to do the same?

It was mentioned few times that user login is not the way to protect your data. That other know that doesn't make them silly.

I just learned that it's possible to have autologin with passwd enabled (locked) right after boot, this seems to fix all the problems.

What problems? You just switched place where login happens, which allows user services to start, but security is not increased for a bit. If you leave computer unattended, who will prevent reboot with Live system and theft of data, installation of malware, and what not? When you come back, you will see your login and think all is fine :) Without login you will at least be aware that anyone can use computer and will not leave it, which is protection from more attack vectors then login alone.

Is it possible to have this as default?

Sure it is :) Anyone can have on computer anything as default, but, please, don't insist that false sense of protection is way to go. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Rajko M. wrote:

On Tuesday, June 21, 2011 05:44:13 PM jdd wrote:

...

so just because others do silly things, we have to do the same?

It was mentioned few times that user login is not the way to protect your data.

It was also mentioned a few times that that is not the primary concern. Most are "attackers" are not malicious, some are simply accidental or opportunistic. -- Per Jessen, Zürich (18.9°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On 06/19/2011 03:43 AM, Stefan Seyfried wrote:

If you just clicked "next", then you also did not password-protect your GRUB setup and did not encrypt your $HOME.

So people can get at your files regardless of the users password. They'll simply boot with "init=/bin/sh", remove the root password and eat your cake.

encrypted /home has been mentioned a few times.. Folks must know that you should really encrypt tmp and swap as well. Also encryption won't save you from the law and court order. I guess you should use hidden double encryption ala truecrypt for that.. I wouldn't know. No encryption here :-) this is all even further off-topic, sorry. just put it in FATE & lets vote on it. -johnm -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org