[opensuse-factory] disable autologin as default
Because there´s something wrong with openFATE (should I file a bug?) I post my feature request here: ====================================================================== description: ============ In the installer of openSUSE 11.4 (and I guess also in 11.3, 11.2 and 11.1) the toolbox "log in with this user automaticly" or something like this is choosen as default. That means, if you just click on "next" during installation, you will auto log in with your user, when you start your system. This happens without any password-check. This might be good for people who just want to work with their PC and don´t think about the system. But it´s a big security risk. Think of you got personal files on your harddrive, and your user is logged-in automaticly. Now, other people can easy get access to your /home dir. They just need to start your PC. So, please, disable this by default! To drop a potential security lack To care about the user´s security =========================================================================== thanks -- Kim Leyendecker kdl@k-dl.de.vu openSUSE Ambassador, openSUSE Wiki DE Send from my notebook -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Le 19/06/2011 11:28, Kim Leyendecker a écrit :
11.1) the toolbox "log in with this user automaticly" or something
windowslike philosophy, but as openSUSE is not aimed to complete newbie, this is not a good idea (mostly associated with "receive the root mails") that's a default I remove almost always... jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Sun, 19 Jun 2011 11:28:36 +0200
schrieb Kim Leyendecker
In the installer of openSUSE 11.4 (and I guess also in 11.3, 11.2 and 11.1) the toolbox "log in with this user automaticly" or something like this is choosen as default. That means, if you just click on "next" during installation, you will auto log in with your user, when you start your system. This happens without any password-check. This might be good for people who just want to work with their PC and don´t think about the system. But it´s a big security risk. Think of you got personal files on your harddrive, and your user is logged-in automaticly. Now, other people can easy get access to your /home dir. They just need to start your PC. So, please, disable this by default!
To drop a potential security lack
Sorry, but this is bullshit. If you just clicked "next", then you also did not password-protect your GRUB setup and did not encrypt your $HOME. So people can get at your files regardless of the users password. They'll simply boot with "init=/bin/sh", remove the root password and eat your cake.
To care about the user´s security
The user password has not that much to do with security. -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am 19.06.2011 13:43, schrieb Stefan Seyfried:
Sorry, but this is bullshit.
If you just clicked "next", then you also did not password-protect your GRUB setup and did not encrypt your $HOME.
So people can get at your files regardless of the users password. They'll simply boot with "init=/bin/sh", remove the root password and eat your cake.
Hm, maybe I should explain my situation more: I ordered a new PC with openSUSE preinstalled. So, the people at the computer shop installed openSUSE and just clicked on "Next" when it appears. So, the create a user, and give them a password. The default openSUSE installation logs in the user idiomatically. I think *that´s* the problem. This should be fixed. thanks -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Sun, 19 Jun 2011 17:15:22 +0200
schrieb Kim Leyendecker
Hm, maybe I should explain my situation more:
I ordered a new PC with openSUSE preinstalled. So, the people at the computer shop installed openSUSE and just clicked on "Next" when it appears. So, the create a user, and give them a password. The default openSUSE installation logs in the user idiomatically. I think *that´s* the problem. This should be fixed.
Well, and if it did not log the user in automatically, then I'd simply boot the box with "init=/bin/bash" and eat your cake anyway. There is nothing you can do about stupid users / preinstallers. Normally, a preload system asks you on first boot for your password and other setup / config parameters and sets it up. That's what the yast2 firstboot module is for. -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Le 19/06/2011 17:25, Stefan Seyfried a écrit :
Well, and if it did not log the user in automatically, then I'd simply boot the box with "init=/bin/bash" and eat your cake anyway.
the problem is not protection against computer addicts, but simply family or childs that can read your mail or disturb your config, like any windows do jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am 19.06.2011 17:33, schrieb jdd:
the problem is not protection against computer addicts, but simply family or childs that can read your mail or disturb your config, like any windows do
+1 That´s the purpose of my request. -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sunday 19 June 2011 17:54:23 Kim Leyendecker wrote:
Am 19.06.2011 17:33, schrieb jdd:
the problem is not protection against computer addicts, but simply family or childs that can read your mail or disturb your config, like any windows do
+1 That´s the purpose of my request. Most OS'es auto-login when you have a single user configured. If you configure more than one user, it shouldn't auto-login. Then, if you have a family who might use your computer, simply configure accounts for them and the problem is solved.
I'm not sure if openSUSE already does this (not auto-login if you have multiple users) but in any case, I think this issue has arguments in both directions and I don't think we can solve it over a ML.
On 19/06/11 16:33, jdd wrote:
Le 19/06/2011 17:25, Stefan Seyfried a écrit :
Well, and if it did not log the user in automatically, then I'd simply boot the box with "init=/bin/bash" and eat your cake anyway.
the problem is not protection against computer addicts, but simply family or childs that can read your mail or disturb your config, like any windows do
jdd
I've had 2 instances where granddads gave their passwords to their little wonders and it was to their surprise what the kids destroyed. I set up new accounts for the kids and asked the guys to make sure no one knew their own new passwords and write the kids' passwords up in bold letters. Regards Sid. -- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Senior Staff Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Sid Boyce wrote:
On 19/06/11 16:33, jdd wrote:
Le 19/06/2011 17:25, Stefan Seyfried a écrit :
Well, and if it did not log the user in automatically, then I'd simply boot the box with "init=/bin/bash" and eat your cake anyway.
the problem is not protection against computer addicts, but simply family or childs that can read your mail or disturb your config, like any windows do
jdd
I've had 2 instances where granddads gave their passwords to their little wonders and it was to their surprise what the kids destroyed. I set up new accounts for the kids and asked the guys to make sure no one knew their own new passwords and write the kids' passwords up in bold letters.
I've had kids on Linux desktops since age 4-5 - my own, the neighbours, friends etc. They have all been trained to type a password (even if it was just their own name). It works fine and it sets a precedent. -- Per Jessen, Zürich (16.6°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 19/06/11 19:53, Per Jessen wrote:
Sid Boyce wrote:
On 19/06/11 16:33, jdd wrote:
Le 19/06/2011 17:25, Stefan Seyfried a écrit :
Well, and if it did not log the user in automatically, then I'd simply boot the box with "init=/bin/bash" and eat your cake anyway. the problem is not protection against computer addicts, but simply family or childs that can read your mail or disturb your config, like any windows do
jdd
I've had 2 instances where granddads gave their passwords to their little wonders and it was to their surprise what the kids destroyed. I set up new accounts for the kids and asked the guys to make sure no one knew their own new passwords and write the kids' passwords up in bold letters. I've had kids on Linux desktops since age 4-5 - my own, the neighbours, friends etc. They have all been trained to type a password (even if it was just their own name). It works fine and it sets a precedent.
I couldn't agree more, it's as easy as falling off a log. For most kids you don't even have to teach them, they see a password is needed and they understand what a password is. Regards Sid. -- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Senior Staff Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 2011/06/19 17:15 (GMT+0200) Kim Leyendecker composed:
I ordered a new PC with openSUSE preinstalled. So, the people at the computer shop installed openSUSE and just clicked on "Next" when it appears. So, the create a user, and give them a password. The default openSUSE installation logs in the user idiomatically. I think *that´s* the problem. This should be fixed.
Until such time as this may get fixed, have the shop _not_ configure _any_ users at all except root (not possible in all distros, but quite possible in openSUSE). When you get it from the shop, log in as root, create user(s), and configure login behavior as you please. It's been years since I let YaST create any users other than root. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sunday, June 19, 2011 21:31:00 Felix Miata wrote:
On 2011/06/19 17:15 (GMT+0200) Kim Leyendecker composed:
I ordered a new PC with openSUSE preinstalled. So, the people at the computer shop installed openSUSE and just clicked on "Next" when it appears. So, the create a user, and give them a password. The default openSUSE installation logs in the user idiomatically. I think *that´s* the problem. This should be fixed.
Until such time as this may get fixed, have the shop _not_ configure _any_ users at all except root (not possible in all distros, but quite possible in openSUSE). When you get it from the shop, log in as root, create user(s), and configure login behavior as you please.
And use the first-boot stuff from YaST to create users at the first time the system gets booted up... Andreas -- Andreas Jaeger, Program Manager openSUSE aj@{novell.com,suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Andreas Jaeger
On Sunday, June 19, 2011 21:31:00 Felix Miata wrote:
On 2011/06/19 17:15 (GMT+0200) Kim Leyendecker composed:
I ordered a new PC with openSUSE preinstalled. So, the people at the computer shop installed openSUSE and just clicked on "Next" when it appears. So, the create a user, and give them a password. The default openSUSE installation logs in the user idiomatically. I think *that´s* the problem. This should be fixed.
Until such time as this may get fixed, have the shop _not_ configure _any_ users at all except root (not possible in all distros, but quite possible in openSUSE). When you get it from the shop, log in as root, create user(s), and configure login behavior as you please.
And use the first-boot stuff from YaST to create users at the first time the system gets booted up...
http://en.opensuse.org/YaST_Firstboot ? I very much like the fact that some computer shops preinstall openSUSE, and that they just need to learn how to do it the right way. Any ideas how we can make it simpler for these great openSUSE preinstallers to give end users a smooth yast firstboot experience? Is there a point in here where we could point to information for weird corner case installations, like diskless, shared /usr, preinstall? http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-reference/cha.in... Or how do we prevent shop owners to give users an irritating first impression of openSUSE? S. -- Susanne Oberhauser SUSE LINUX Products GmbH +49-911-74053-574 Maxfeldstraße 5 Processes and Infrastructure 90409 Nürnberg GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Tue, 21 Jun 2011 12:52:16 +0200
schrieb Susanne Oberhauser
Or how do we prevent shop owners to give users an irritating first impression of openSUSE?
Maybe the installer could just have a radiobox selection (*) use automatic configuration ( ) manual configuration ( ) configure on first boot (preloaded system) The "use automatic configuration" checkbox is already somewhere in there... -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Stefan Seyfried wrote:
Am Tue, 21 Jun 2011 12:52:16 +0200 schrieb Susanne Oberhauser
: Or how do we prevent shop owners to give users an irritating first impression of openSUSE?
Maybe the installer could just have a radiobox selection
(*) use automatic configuration ( ) manual configuration ( ) configure on first boot (preloaded system)
The "use automatic configuration" checkbox is already somewhere in there...
Just playing devils advocate - isn't this yet another corner case? How many PCs are being sold with openSUSE pre-installed by inexperienced MediaMarkt assistants? -- Per Jessen, Zürich (20.6°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Wednesday 22 June 2011 08:22:48 Per Jessen wrote:
Stefan Seyfried wrote:
Am Tue, 21 Jun 2011 12:52:16 +0200
schrieb Susanne Oberhauser
: Or how do we prevent shop owners to give users an irritating first impression of openSUSE?
Maybe the installer could just have a radiobox selection
(*) use automatic configuration ( ) manual configuration ( ) configure on first boot (preloaded system)
The "use automatic configuration" checkbox is already somewhere in there...
Just playing devils advocate - isn't this yet another corner case? How many PCs are being sold with openSUSE pre-installed by inexperienced MediaMarkt assistants?
Crazy idea: maybe someone feels like building a "pre-load ISO" in suse studio :D If it's good enough we could easily promote that on our download site.
Am 22.06.2011 10:16, schrieb Jos Poortvliet:
Crazy idea: maybe someone feels like building a "pre-load ISO" in suse studio :D
If it's good enough we could easily promote that on our download site.
I think it´s not a so crazy idea. It looks really interesting, quite frankly. The only question is: How? *Should we package the standard software like the DVD version does? *Or create two live CDs? *Or make something totally different up with the software the user want? What do you think. If it becomes more detailed, I´m in. thanks in advance -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Wednesday 22 June 2011 16:31:02 Kim Leyendecker wrote:
Am 22.06.2011 10:16, schrieb Jos Poortvliet:
Crazy idea: maybe someone feels like building a "pre-load ISO" in suse studio
:D
If it's good enough we could easily promote that on our download site.
I think it´s not a so crazy idea. It looks really interesting, quite frankly.
The only question is: How?
*Should we package the standard software like the DVD version does? *Or create two live CDs? *Or make something totally different up with the software the user want?
I think it should be as 'standard' as possible, just with this change. Then anyone could easily clone it and make their own, like the dutch Hettes.nl I blogged about earlier.
What do you think. If it becomes more detailed, I´m in.
thanks in advance
Am 22.06.2011 21:21, schrieb Jos Poortvliet:
I think it should be as 'standard' as possible, just with this change. Then anyone could easily clone it and make their own, like the dutch Hettes.nl I blogged about earlier.
James Mason did a standard-live-CD with SUSE Studio AFAIK. I will clone his appliance and create a preloaded iso. thanks -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Wednesday 22 June 2011 21:53:55 Kim Leyendecker wrote:
Am 22.06.2011 21:21, schrieb Jos Poortvliet:
I think it should be as 'standard' as possible, just with this change. Then anyone could easily clone it and make their own, like the dutch Hettes.nl I blogged about earlier.
James Mason did a standard-live-CD with SUSE Studio AFAIK. I will clone his appliance and create a preloaded iso.
thanks
Awesome. Now, the q is - how do we promote it, where can we put this so the right people (those looking for something like this) find it?
Am 22.06.2011 22:27, schrieb Jos Poortvliet:
Awesome. Now, the q is - how do we promote it, where can we put this so the right people (those looking for something like this) find it?
*news.o.o *software.opensuse.org/oem/*language as an example *contacting some computer magazines / Linux magazines *contacting some OEM sellers Would be my key points on promotion. Of course it also needs some love on the wiki. Maybe a OEM´s corner or something like this. thanks -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am 22.06.2011 22:44, schrieb Kim Leyendecker:
Am 22.06.2011 22:27, schrieb Jos Poortvliet:
Awesome. Now, the q is - how do we promote it, where can we put this so the right people (those looking for something like this) find it?
*news.o.o *software.opensuse.org/oem/*language as an example *contacting some computer magazines / Linux magazines *contacting some OEM sellers
Would be my key points on promotion. Of course it also needs some love on the wiki. Maybe a OEM´s corner or something like this.
thanks
The iso was built. See here: http://susegallery.com/a/3wzSxT/opensuse-oem-edition thanks -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Kim Leyendecker wrote:
Am 22.06.2011 22:44, schrieb Kim Leyendecker:
Am 22.06.2011 22:27, schrieb Jos Poortvliet:
Awesome. Now, the q is - how do we promote it, where can we put this so the right people (those looking for something like this) find it?
*news.o.o *software.opensuse.org/oem/*language as an example *contacting some computer magazines / Linux magazines *contacting some OEM sellers
Would be my key points on promotion. Of course it also needs some love on the wiki. Maybe a OEM´s corner or something like this.
thanks
The iso was built. See here:
Requires login to download? -- Per Jessen, Zürich (16.1°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am 23.06.2011 13:59, schrieb Per Jessen:
Requires login to download?
yes. It´s just like every appliance created with SUSE Studio. thanks -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sun, 2011-06-19 at 13:43 +0200, Stefan Seyfried wrote:
Am Sun, 19 Jun 2011 11:28:36 +0200 schrieb Kim Leyendecker
: In the installer of openSUSE 11.4 (and I guess also in 11.3, 11.2 and 11.1) the toolbox "log in with this user automaticly" or something like this is choosen as default. That means, if you just click on "next" during installation, you will auto log in with your user, when you start your system. This happens without any password-check. This might be good for people who just want to work with their PC and don´t think about the system. But it´s a big security risk. Think of you got personal files on your harddrive, and your user is logged-in automaticly. Now, other people can easy get access to your /home dir. They just need to start your PC. So, please, disable this by default!
To drop a potential security lack
Sorry, but this is bullshit.
If you just clicked "next", then you also did not password-protect your GRUB setup and did not encrypt your $HOME.
So people can get at your files regardless of the users password. They'll simply boot with "init=/bin/sh", remove the root password and eat your cake.
To care about the user´s security
The user password has not that much to do with security.
Also auto-login is rather useful when using LUKS encryption - the encryption key is needed for booting, so the user password - which may (should?) be different - is only a secondary protection such as with a screen-saver lock. I find it very useful to log me in automatically when set up this way e.g. on the net-book that I'm using now. -- Cheers Richard (MQ) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
El 19/06/11 07:43, Stefan Seyfried escribió:
Sorry, but this is bullshit.
Yep, pretty much, Im not buying this argument at all.
The user password has not that much to do with security.
In short for "local security" the user password matters a royal damn. If you do not encrypt the hard-disk, add bootloader passsword, and keep the computer in a safe location, the battle, is lost. RIP. For remote auth, you must use ssh keys or similar, otherwise you are at the mercy of bruteforce attacks, that one is another lost battle btw. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sun, Jun 19, 2011 at 11:23:12AM -0400, Cristian Rodr?guez wrote:
El 19/06/11 07:43, Stefan Seyfried escribió:
Sorry, but this is bullshit.
Yep, pretty much, Im not buying this argument at all.
The user password has not that much to do with security.
In short for "local security" the user password matters a royal damn.
If you do not encrypt the hard-disk, add bootloader passsword, and keep the computer in a safe location, the battle, is lost. RIP.
For remote auth, you must use ssh keys or similar, otherwise you are at the mercy of bruteforce attacks, that one is another lost battle btw.
It's not all about airtight security: It's there to let people know that
you do not want them to access your computer. For home use, think of a
locked drawer: Of course your family members may be able to get a lockpick
and unlock the drawer or use a crowbar to force it open - but in an intact
family that is not what will happen. So defaulting the install to ask for
a password is the right thing to do, although it is a weak security measure
it is a perfecly valid "social protection".
Ciao
Joerg
--
Joerg Mayer
Am 19.06.2011 17:23, schrieb Cristian Rodríguez:
In short for "local security" the user password matters a royal damn.
If you do not encrypt the hard-disk, add bootloader passsword, and keep the computer in a safe location, the battle, is lost. RIP.
For remote auth, you must use ssh keys or similar, otherwise you are at the mercy of bruteforce attacks, that one is another lost battle btw.
Well, that isn´t the point. If you really want to crack some other´s PC, you´ll find a method, pretty sure. It´s just, when you install a system, with an automatically log in, and you need to log in as root for any odd reason you have, it might be difficult (Yeah, you can log in over shell and so on, but it´s just *easier* to do it right know via kdm or gdm). Than, if you use one PC togehter with, let me say, 4 people and 4 user accounts. So, user 1 get automatically logged-in. And the other? they need to log in via shell. That isn´t optimal at all. So, why not change to a manual log in. Why not? It´s more secure in the case, that there´s someone other in your family, who wants to change your files, or just read them (this could be happen.). The question is not: "Why should we do it?" It´s just "Why *shouldn´t* we do it?" thanks -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 06/19/2011 12:29 PM, Kim Leyendecker pecked at the keyboard and wrote:
Am 19.06.2011 17:23, schrieb Cristian Rodríguez:
In short for "local security" the user password matters a royal damn.
If you do not encrypt the hard-disk, add bootloader passsword, and keep the computer in a safe location, the battle, is lost. RIP.
For remote auth, you must use ssh keys or similar, otherwise you are at the mercy of bruteforce attacks, that one is another lost battle btw.
Well, that isn´t the point. If you really want to crack some other´s PC, you´ll find a method, pretty sure. It´s just, when you install a system, with an automatically log in, and you need to log in as root for any odd reason you have, it might be difficult (Yeah, you can log in over shell and so on, but it´s just *easier* to do it right know via kdm or gdm).
Than, if you use one PC togehter with, let me say, 4 people and 4 user accounts. So, user 1 get automatically logged-in. And the other? they need to log in via shell. That isn´t optimal at all.
So, why not change to a manual log in. Why not? It´s more secure in the case, that there´s someone other in your family, who wants to change your files, or just read them (this could be happen.).
The question is not: "Why should we do it?" It´s just "Why *shouldn´t* we do it?"
thanks
Since none of the other people want to help and only argue the merits try the following: start "Personal Settings" (in KDE) "System Administration" "Login Screen" "Convience" tab and uncheck the auto login selection. Then you will get the normal login prompt when kdm starts. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
So, why not change to a manual log in. Why not? It´s more secure in the case, that there´s someone other in your family, who wants to change your files, or just read them (this could be happen.).
The question is not: "Why should we do it?" It´s just "Why *shouldn´t* we do it?"
If there is only a single user account present, logging in automatically is better usability. Autologin allows the system to fully boot up incl. to connect to WLANs and not stop at KDM. During boot one can leave the room. If more than one account is created, the account manager should ask to disable autologin. Seriously, you are just a corner case and corner cases like you can be bothered to untick a little checkbox once. If you really want that rudimentary security, a way better option is to enable autologin but then set the option to automatically lock the screen after login. That way the system loads completely (incl. network connections) and your corner case is still solved. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
fyi only - related to legal issues: IANAL, but I've been told that in the USA if a family computer has no password, then there is no right to privacy. If the computer does have a password, then there is. (At least as regards adults. Children don't have a right to privacy from their parents.). So while the password may not offer much if any technical security, it establishes legal security by making it a crime for another family member to bypass it. Note that in the US most corporations have a legal disclaimer that states they own all the data and the user has no right to privacy. Thus a corporate IT person or investigator is within their legal rights to ignore the presence of a password. I am NOT saying this argues one way or the other for the default, but I wanted to highlight that having a password is more than just a weak security issue. Greg -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
El 19/06/11 14:31, Greg Freemyer escribió:
fyi only - related to legal issues:
IANAL, but I've been told that in the USA if a family computer has no password, then there is no right to privacy.
Passwords are designed for authorization purposes, nothing to do with privacy.
So while the password may not offer much if any technical security, it establishes legal security by making it a crime for another family member to bypass it.
Isn't "legal security" an oxymoron ? ;) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2011-06-19 21:02, Cristian Rodríguez wrote:
El 19/06/11 14:31, Greg Freemyer escribió:
fyi only - related to legal issues:
IANAL, but I've been told that in the USA if a family computer has no password, then there is no right to privacy.
Passwords are designed for authorization purposes, nothing to do with privacy.
What you think as a technical person has nothing to do with what law makers in the USA (or elsewhere) think - or worse, mandate. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk3+ZzsACgkQtTMYHG2NR9UtMQCdE1f5U3GcdpwFpzM9kNkWmbYi NPYAn17V1fph/3qV+r0Oaqcqv75ZtCF9 =Rp1J -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Sonntag 19 Juni 2011, 20:31:47 schrieb Greg Freemyer:
So while the password may not offer much if any technical security, it establishes legal security by making it a crime for another family member to bypass it.
If you have a family so broken that you have to fear to be a victim of crime, you can certainly check a little box or -- even better -- move out and encrypt your home partition. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Markus Slopianka wrote:
So, why not change to a manual log in. Why not? It´s more secure in the case, that there´s someone other in your family, who wants to change your files, or just read them (this could be happen.).
The question is not: "Why should we do it?" It´s just "Why *shouldn´t* we do it?"
If there is only a single user account present, logging in automatically is better usability.
Autologin allows the system to fully boot up incl. to connect to WLANs and not stop at KDM. During boot one can leave the room.
If more than one account is created, the account manager should ask to disable autologin.
Seriously, you are just a corner case and corner cases like you can be bothered to untick a little checkbox once.
I would tend to agree with that - I untick that box by default myself on every install, it's virtually automatic. It's a bit of a trade-off, usability vs. security. Or how many installations are single-user vs. multi-user. In principle I agree with Kims proposal, but in practice it's a non-issue.
If you really want that rudimentary security, a way better option is to enable autologin but then set the option to automatically lock the screen after login. That way the system loads completely (incl. network connections) and your corner case is still solved.
Or automatically disable the auto-login when the next user is defined. (i.e. when the systems goes from single- to multi-user.) -- Per Jessen, Zürich (16.6°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Sun, 19 Jun 2011 20:50:29 +0200
schrieb Per Jessen
Or automatically disable the auto-login when the next user is defined. (i.e. when the systems goes from single- to multi-user.)
Once you turn on networked auth (NIS at least, but I think also for LDAP), YaST pops up a window telling you that autologin is enabled for user "foo" and asks if you want to disable that. A similar thing when adding a user with the YaST user module would be good and probably it would not be that much work to implement (worst case would be to steal the code from the networked auth module). Now someone needs to file a FATE request :-) -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Stefan Seyfried wrote:
Am Sun, 19 Jun 2011 20:50:29 +0200 schrieb Per Jessen
: Or automatically disable the auto-login when the next user is defined. (i.e. when the systems goes from single- to multi-user.)
Once you turn on networked auth (NIS at least, but I think also for LDAP), YaST pops up a window telling you that autologin is enabled for user "foo" and asks if you want to disable that.
A similar thing when adding a user with the YaST user module would be good and probably it would not be that much work to implement (worst case would be to steal the code from the networked auth module).
YaST basically does that ever since the autologin features was implemented in 2003. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Mon, 20 Jun 2011 11:37:25 +0200
schrieb Ludwig Nussel
Stefan Seyfried wrote:
Once you turn on networked auth (NIS at least, but I think also for LDAP), YaST pops up a window telling you that autologin is enabled for user "foo" and asks if you want to disable that.
A similar thing when adding a user with the YaST user module would be good and probably it would not be that much work to implement (worst case would be to steal the code from the networked auth module).
YaST basically does that ever since the autologin features was implemented in 2003.
Hm, maybe I should finally use YaST instead of "useradd" to add a new user ;-) So I don't understand what the whining in this thread is all about... -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Mon, 20 Jun 2011 15:28:06 +0530, Stefan Seyfried
Hm, maybe I should finally use YaST instead of "useradd" to add a new user So I don't understand what the whining in this thread is all about...
it's about if those who want auto-login have to click an extra option during install, or the other ones. highly important matter, of course... -- phani. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 06/20/2011 08:13 AM, phanisvara das pecked at the keyboard and wrote:
On Mon, 20 Jun 2011 15:28:06 +0530, Stefan Seyfried
wrote: Hm, maybe I should finally use YaST instead of "useradd" to add a new user So I don't understand what the whining in this thread is all about...
it's about if those who want auto-login have to click an extra option during install, or the other ones. highly important matter, of course...
NO! The OP asked how to turn it off on a system that came pre-installed with openSUSE. He did not ask for other peoples opinion on why it is one way or another. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Mon, 20 Jun 2011 19:58:03 +0530, Ken Schneider - openSUSE
On 06/20/2011 08:13 AM, phanisvara das pecked at the keyboard and wrote:
On Mon, 20 Jun 2011 15:28:06 +0530, Stefan Seyfried
wrote: Hm, maybe I should finally use YaST instead of "useradd" to add a new user So I don't understand what the whining in this thread is all about...
it's about if those who want auto-login have to click an extra option during install, or the other ones. highly important matter, of course...
NO! The OP asked how to turn it off on a system that came pre-installed with openSUSE. He did not ask for other peoples opinion on why it is one way or another.
not correct. the OP, Kim Leyendecker, asked for the default behavior of openSUSE to be changed; he did not ask for info. how to change it afterwards. -- phani. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am 20.06.2011 17:35, schrieb phanisvara das:
not correct. the OP, Kim Leyendecker, asked for the default behavior of openSUSE to be changed; he did not ask for info. how to change it afterwards.
right. I asked if it could be changed to the non-auto-log-in case, so that you need to give on your password when you´re locking in. In general it should be just a present for such *stupid* computer-dealers like my one was, who are only click on next and present it as your installed system. I think 99% of our users who didn´t care if the log in is automatically by default. But these 1% who care are still their. And I dare to say that these 99% also didn´t care if they suddenly should give on their password, whereas the 1% are lucky with the change, so that, in the best case, 100% are still lucky about their system. So, what speaks against changing the default choose? :-) -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 06/20/2011 11:50 AM, Kim Leyendecker pecked at the keyboard and wrote:
Am 20.06.2011 17:35, schrieb phanisvara das:
not correct. the OP, Kim Leyendecker, asked for the default behavior of openSUSE to be changed; he did not ask for info. how to change it afterwards.
right.
My apologies for the error, but I do remember it being asked.
I asked if it could be changed to the non-auto-log-in case, so that you need to give on your password when you´re locking in.
In general it should be just a present for such *stupid* computer-dealers like my one was, who are only click on next and present it as your installed system.
I think 99% of our users who didn´t care if the log in is automatically by default. But these 1% who care are still their. And I dare to say that these 99% also didn´t care if they suddenly should give on their password, whereas the 1% are lucky with the change, so that, in the best case, 100% are still lucky about their system.
So, what speaks against changing the default choose? :-)
-- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Kim Leyendecker wrote:
Am 20.06.2011 17:35, schrieb phanisvara das:
not correct. the OP, Kim Leyendecker, asked for the default behavior of openSUSE to be changed; he did not ask for info. how to change it afterwards.
right.
I asked if it could be changed to the non-auto-log-in case, so that you need to give on your password when you´re locking in.
In general it should be just a present for such *stupid* computer-dealers like my one was, who are only click on next and present it as your installed system.
I think 99% of our users who didn´t care if the log in is automatically by default. But these 1% who care are still their. And I dare to say that these 99% also didn´t care if they suddenly should give on their password, whereas the 1% are lucky with the change, so that, in the best case, 100% are still lucky about their system.
So, what speaks against changing the default choose? :-)
It seems to me that the current setup is a good compromise and probably needs no change. For a personal single-user machine, auto-login may be bad security practice, but it's good for usability. The minute the machine goes multi-user (via yast), the owner/admin is alerted about the auto-login and offered to disable it. Personally, I would like to see the default auto-login removed, but I can live with it if it means it makes it easier for the majority. -- Per Jessen, Zürich (19.2°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Per Jessen wrote:
Kim Leyendecker wrote:
Am 20.06.2011 17:35, schrieb phanisvara das:
not correct. the OP, Kim Leyendecker, asked for the default behavior of openSUSE to be changed; he did not ask for info. how to change it afterwards.
right.
I asked if it could be changed to the non-auto-log-in case, so that you need to give on your password when you´re locking in.
In general it should be just a present for such *stupid* computer-dealers like my one was, who are only click on next and present it as your installed system.
I think 99% of our users who didn´t care if the log in is automatically by default. But these 1% who care are still their. And I dare to say that these 99% also didn´t care if they suddenly should give on their password, whereas the 1% are lucky with the change, so that, in the best case, 100% are still lucky about their system.
So, what speaks against changing the default choose? :-)
It seems to me that the current setup is a good compromise and probably needs no change. For a personal single-user machine, auto-login may be bad security practice, but it's good for usability. The minute the machine goes multi-user (via yast), the owner/admin is alerted about the auto-login and offered to disable it.
Logging in as root would be bad security practice. The autologin is irrelevant as long as you don't also lock down your BIOS¹ and boot loader and make sure that other OS can't access the Linux partition. That still doesn't help against an attacker that can open the casing though. So if you are concerned about privacy use disk encryption. You can even combine that with autologin to avoid having to type two passwords at boot. An argument that was not brought up in this discussion was password strength. I'd argue that having autologin decreases the chance of users picking silly but easy to type passwords like "12345". Fortunately that's not so much of a concern nowadays anymore with sshd off and firewall on by default though. So IMO having autologin on is a nice feature. Nevertheless there is room for further improvements: - lock down the bootloader by default. Maybe grub could be made to read the root password from /etc/shadow to avoid having yet another one. - allow to have local only accounts. Such users do not need a password at all. Only the display manager should be allowed to log them in. Ie no ssh, even if sshd is on for other accounts. - allow to map LUKS key slots to user names so the system would log in different users automatically depending on the passphrase that was typed to unlock the encrypted disk. cu Ludwig [1] BIOSes used to have master passwords though so locking down the BIOS actually doesn't work. I don't know if that's still the case on modern machines though. -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Ludwig Nussel wrote:
[1] BIOSes used to have master passwords though so locking down the BIOS actually doesn't work. I don't know if that's still the case on modern machines though.
Depends on the machine - for the single-user machines we're talking about, probably not. -- Per Jessen, Zürich (21.4°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Monday 20 June 2011 17:50:52 Kim Leyendecker wrote:
Am 20.06.2011 17:35, schrieb phanisvara das:
not correct. the OP, Kim Leyendecker, asked for the default behavior of openSUSE to be changed; he did not ask for info. how to change it afterwards.
right.
I asked if it could be changed to the non-auto-log-in case, so that you need to give on your password when you´re locking in.
In general it should be just a present for such *stupid* computer-dealers like my one was, who are only click on next and present it as your installed system.
I think 99% of our users who didn´t care if the log in is automatically by default. But these 1% who care are still their. And I dare to say that these 99% also didn´t care if they suddenly should give on their password, whereas the 1% are lucky with the change, so that, in the best case, 100% are still lucky about their system.
So, what speaks against changing the default choose? :-) Shoot in an openFATE feature, I'd say. I think the auto-login is convenient for the average home user, but I don't care much - I'll enable it myself (with auto lock after login of course) if I have to.
Le 20/06/2011 22:56, Jos Poortvliet a écrit :
for the average home user, but I don't care much - I'll enable it myself (with auto lock after login of course) if I have to.
how do you manage this? thanks jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
* jdd
Le 20/06/2011 22:56, Jos Poortvliet a écrit :
for the average home user, but I don't care much - I'll enable it myself (with auto lock after login of course) if I have to.
how do you manage this?
systemsettings --> login screen --> convenience --> uncheck "enable auto-login" -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Mon, Jun 20, 2011 at 6:43 PM, Patrick Shanahan
* jdd
[06-20-11 17:58]: Le 20/06/2011 22:56, Jos Poortvliet a écrit :
for the average home user, but I don't care much - I'll enable it myself (with auto lock after login of course) if I have to.
how do you manage this?
systemsettings --> login screen --> convenience --> uncheck "enable auto-login"
Does that actually work for you? It doesn't for me (I have to set it in YaST as I described earlier in this thread).
-- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-- Ista Zahn Graduate student University of Rochester Department of Clinical and Social Psychology http://yourpsyche.org -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
* Ista Zahn
systemsettings --> login screen --> convenience --> uncheck "enable auto-login"
Does that actually work for you? It doesn't for me (I have to set it in YaST as I described earlier in this thread).
-- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-- Ista Zahn Graduate student University of Rochester Department of Clinical and Social Psychology http://yourpsyche.org -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
I don't know. I don't use auto-log-in, but knew of the existance above and *assumed* it just worked as all my other linux apps do :^) -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Le 21/06/2011 00:43, Patrick Shanahan a écrit :
* jdd
[06-20-11 17:58]: Le 20/06/2011 22:56, Jos Poortvliet a écrit :
for the average home user, but I don't care much - I'll enable it myself (with auto lock after login of course) if I have to.
how do you manage this?
systemsettings --> login screen --> convenience --> uncheck "enable auto-login"
this I know (works with yast), but how can I make the system immediately lock after boot (and keep the usual lock delay after use) thanks jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Tuesday 21 June 2011 07:55:17 jdd wrote:
Le 21/06/2011 00:43, Patrick Shanahan a écrit :
* jdd
[06-20-11 17:58]: Le 20/06/2011 22:56, Jos Poortvliet a écrit :
for the average home user, but I don't care much - I'll enable it myself (with auto lock after login of course) if I have to.
how do you manage this?
systemsettings --> login screen --> convenience --> uncheck "enable auto-login"
this I know (works with yast), but how can I make the system immediately lock after boot (and keep the usual lock delay after use)
thanks jdd
I believe I just went to the above systemsettings and configured it there...
Le 21/06/2011 12:57, Jos Poortvliet a écrit :
I believe I just went to the above systemsettings and configured it there...
oh, ok, found. This is the problem when using a product for more than 10 years, you miss new things :-) thanks Also need to edit sysconfig to allow autologin (this bug is discussed in this thread) jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/20/2011 11:50 AM, Kim Leyendecker wrote:
Am 20.06.2011 17:35, schrieb phanisvara das:
not correct. the OP, Kim Leyendecker, asked for the default behavior of openSUSE to be changed; he did not ask for info. how to change it afterwards.
right.
I asked if it could be changed to the non-auto-log-in case, so that you need to give on your password when you´re locking in.
In general it should be just a present for such *stupid* computer-dealers like my one was, who are only click on next and present it as your installed system.
I think 99% of our users who didn´t care if the log in is automatically by default. But these 1% who care are still their. And I dare to say that these 99% also didn´t care if they suddenly should give on their password, whereas the 1% are lucky with the change, so that, in the best case, 100% are still lucky about their system.
So, what speaks against changing the default choose? :-)
I do. It's what users expect coming from other systems. I use autologin on my workstation and like it. I'd rather it not change. Conducting a simple vote on opensuse-factory based on personal preferences is not going to work for usability issues. The simple fact is that the vast majority of our users aren't on this list and the participants on this list tend to be more technically inclined. - -Jeff - -- Jeff Mahoney SuSE Labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk4A5S4ACgkQLPWxlyuTD7KpAwCffisclpsiE72Cu1bJkqMi5FNs h4UAnREA6k3SddwT0hpIIshJHZSoYp4h =vZdn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Jeff Mahoney wrote:
Conducting a simple vote on opensuse-factory based on personal preferences is not going to work for usability issues. The simple fact is that the vast majority of our users aren't on this list and the participants on this list tend to be more technically inclined.
That is probably the most important point made in this thread so far. -- Per Jessen, Zürich (19.4°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Le 22/06/2011 07:37, Per Jessen a écrit :
Jeff Mahoney wrote:
Conducting a simple vote on opensuse-factory based on personal preferences is not going to work for usability issues. The simple fact is that the vast majority of our users aren't on this list and the participants on this list tend to be more technically inclined.
That is probably the most important point made in this thread so far.
yes. And we have to educate users for good practices. Even wibndows users are now incited to use passwd (and I have to admit that using passwd protected windows system is more and more easy), so why mimic obsolete practice? In fact Linux has good practice and other system join us when we try to copycat old bad practices. Pretty funny jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am 21.06.2011 20:38, schrieb Jeff Mahoney:
I do. It's what users expect coming from other systems. I use autologin on my workstation and like it. I'd rather it not change.
Conducting a simple vote on opensuse-factory based on personal preferences is not going to work for usability issues. The simple fact is that the vast majority of our users aren't on this list and the participants on this list tend to be more technically inclined.
okay. agreed, but it wasn´t my first purpose to discuss it here, but on openFATE. Yes, in the end, it´s almost the same circle of people, so, I think we can close this thread, or use it to discuss these things, which are called "off-topic" some posts before :-) so far from me -- Kim Leyendecker (kdl@k-dl.de.vu) openSUSE Ambassador, openSUSE Wiki Team DE HAVE A LOT OF FUN! http://www.opensuse.org Have you tried SUSE Studio? Need to create a Live CD, an app you want to package and distribute or create your own Linux distro. Give SUSE Studio a try. http://www.susestudio.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 19/06/11 19:07, Markus Slopianka wrote:
So, why not change to a manual log in. Why not? It´s more secure in the case, that there´s someone other in your family, who wants to change your files, or just read them (this could be happen.).
The question is not: "Why should we do it?" It´s just "Why *shouldn´t* we do it?" If there is only a single user account present, logging in automatically is better usability.
Better than having the extremely onerous task of entering a few additional keystrokes - I'll have to sleep on that one for a few years.
Autologin allows the system to fully boot up incl. to connect to WLANs and not stop at KDM. During boot one can leave the room.
All that is accomplished in runlevel 3, so I don't see what great benefit is gained - even life and death surgery has to wait until the ambulance has arrived, patient transported to theatre and the surgeon scubs up, dons his apron and gloves and considers how to proceed.
If more than one account is created, the account manager should ask to disable autologin.
Seriously, you are just a corner case and corner cases like you can be bothered to untick a little checkbox once. If you really want that rudimentary security, a way better option is to enable autologin but then set the option to automatically lock the screen after login. That way the system loads completely (incl. network connections) and your corner case is still solved. No corner case, no significant loss of time, no death resulting and no chance of a malpractice suit. Automatically log in in a work setting and you could lose a promising career. I have had people at work trying to guess my password. I went to do some work on a relative's Linux box and needed ssh access to my box at home to download some files if needed. A day later I remembered that ssh was still allowed through my smoothwall firewall box and the logs were full of password cracking attempts. Slack practices breed insecurity. Regards Sid.
-- Sid Boyce ... Hamradio License G3VBV, Licensed Private Pilot Emeritus IBM/Amdahl Mainframes and Sun/Fujitsu Servers Tech Support Senior Staff Specialist, Cricket Coach Microsoft Windows Free Zone - Linux used for all Computing Tasks -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/19/2011 03:10 PM, Sid Boyce wrote:
On 19/06/11 19:07, Markus Slopianka wrote:
So, why not change to a manual log in. Why not? It´s more secure in the case, that there´s someone other in your family, who wants to change your files, or just read them (this could be happen.).
The question is not: "Why should we do it?" It´s just "Why *shouldn´t* we do it?" If there is only a single user account present, logging in automatically is better usability.
Better than having the extremely onerous task of entering a few additional keystrokes - I'll have to sleep on that one for a few years.
Autologin allows the system to fully boot up incl. to connect to WLANs and not stop at KDM. During boot one can leave the room.
All that is accomplished in runlevel 3, so I don't see what great benefit is gained - even life and death surgery has to wait until the ambulance has arrived, patient transported to theatre and the surgeon scubs up, dons his apron and gloves and considers how to proceed.
Not with NetworkManager enabled, which depends on the applet for per-user configuration.
If more than one account is created, the account manager should ask to disable autologin.
Seriously, you are just a corner case and corner cases like you can be bothered to untick a little checkbox once. If you really want that rudimentary security, a way better option is to enable autologin but then set the option to automatically lock the screen after login. That way the system loads completely (incl. network connections) and your corner case is still solved. No corner case, no significant loss of time, no death resulting and no chance of a malpractice suit. Automatically log in in a work setting and you could lose a promising career. I have had people at work trying to guess my password.
If we're considering workplace-deployed machines as the 'common' case, I think we're off the mark. In environments where many machines are going to be installed with identical systems, imaging and/or autoyast should be used. In that case, it's a simple step to uncheck the box (or do likewise in autoyast) so that it's cleared for all installs.
I went to do some work on a relative's Linux box and needed ssh access to my box at home to download some files if needed. A day later I remembered that ssh was still allowed through my smoothwall firewall box and the logs were full of password cracking attempts. Slack practices breed insecurity.
I'm not sure how this is germane to the discussion. The accounts with autologin aren't passwordless and those defaults are already in lock-down mode. - -Jeff - -- Jeff Mahoney SuSE Labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk4A5zEACgkQLPWxlyuTD7JEzQCeO4rINZDw5q31H6X4LAaR1f6p rCYAn19Cgsq2QkOpfddbKV+wjDjsxBk1 =pesa -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Tue, 21 Jun 2011 14:47:13 -0400
schrieb Jeff Mahoney
I'm not sure how this is germane to the discussion. The accounts with autologin aren't passwordless and those defaults are already in lock-down mode.
Off-topic: the most secure password for SSH login is the empty one: ...because sshd default config forbids login with empty password :-) -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, on Dienstag, 21. Juni 2011, Jeff Mahoney wrote:
On 19/06/11 19:07, Markus Slopianka wrote:
Autologin allows the system to fully boot up incl. to connect to WLANs and not stop at KDM. During boot one can leave the room. ... Not with NetworkManager enabled, which depends on the applet for
On 06/19/2011 03:10 PM, Sid Boyce wrote: per-user configuration.
Yes, that's one of the reasons why I don't like NM :-( Would it be possible to "cache" the last used connection and (try to) use this connection again at the next boot, even if nobody is logged in yet? (And also not to disconnect after logout?) IMHO this would improve the situation for several reasons: - network available to boot scripts (ntpd has a "nice" timeout at boot if the network/internet is not reachable) - network is available for sure when the user logs in (think of KMail in autostart, and having it configured to fetch mails at startup - with NM this can be a nice race condition) The only disadvantage I can think of is that the computer could be connected to the "wrong" network until someone logs in - but I doubt this is a problem in reallife because it would basically be the same if the previous user was still logged in ;-) If another user with different network settings logs in, closing down the cached connection and connecting to "his" network isn't really hard. What do you think about this idea? Regards, Christian Boltz -- DOSen-Hersteller: "Wisst ihr, was wir DOSen-Hersteller an Euch Windows-Usern so toll finden?" Windows-User: "Keine Ahnung." DOSen-Hersteller: "Genau." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Wed, 22 Jun 2011 01:14:32 +0200
schrieb Christian Boltz
Hello,
on Dienstag, 21. Juni 2011, Jeff Mahoney wrote:
On 19/06/11 19:07, Markus Slopianka wrote:
Autologin allows the system to fully boot up incl. to connect to WLANs and not stop at KDM. During boot one can leave the room. ... Not with NetworkManager enabled, which depends on the applet for
On 06/19/2011 03:10 PM, Sid Boyce wrote: per-user configuration.
Yes, that's one of the reasons why I don't like NM :-(
Would it be possible to "cache" the last used connection and (try to) use this connection again at the next boot, even if nobody is logged in yet? (And also not to disconnect after logout?)
I guess that's what that "Available to all users" checkbox in nm-connection-editor is for? (Never tried it, but it certainly looks like "make the connection stored in system-wide storage")
- network available to boot scripts (ntpd has a "nice" timeout at boot if the network/internet is not reachable)
ntpd simply needs a trigger on "network up" event. I did this with a dispatcher script.
- network is available for sure when the user logs in (think of KMail in autostart, and having it configured to fetch mails at startup - with NM this can be a nice race condition)
Complain to the KMail developers if it does not honor network state notifications. Claws-Mail and pidgin go offline if my connection is offline and don't bother me with errors.
What do you think about this idea?
I think it's all already there. -- Stefan Seyfried "Dispatch war rocket Ajax to bring back his body!" -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Wednesday 22 Jun 2011 08:33:53 Stefan Seyfried wrote:
Am Wed, 22 Jun 2011 01:14:32 +0200
schrieb Christian Boltz
: - network is available for sure when the user logs in (think of KMail in
autostart, and having it configured to fetch mails at startup - with NM this can be a nice race condition)
Complain to the KMail developers if it does not honor network state notifications. Claws-Mail and pidgin go offline if my connection is offline and don't bother me with errors.
Done in kdepim 4.6 (was also done in our packages for 3.5.5 and later but my patch was never accepted upstream). Will -- Will Stephenson, openSUSE Team SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Tuesday 21 Jun 2011 20:47:13 Jeff Mahoney wrote:
Better than having the extremely onerous task of entering a few additional keystrokes - I'll have to sleep on that one for a few years.
Autologin allows the system to fully boot up incl. to connect to WLANs and not stop at KDM. During boot one can leave the room.
All that is accomplished in runlevel 3, so I don't see what great benefit is gained - even life and death surgery has to wait until the ambulance has arrived, patient transported to theatre and the surgeon scubs up, dons his apron and gloves and considers how to proceed.
Not with NetworkManager enabled, which depends on the applet for per-user configuration.
NM 0.9 does not depend on the applet for per-user configuration any more - it is all pushed into the daemon, controlled by polkit. Will -- Will Stephenson, openSUSE Team SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Not with NetworkManager enabled, which depends on the applet for per-user configuration.
NM 0.9 does not depend on the applet for per-user configuration any more - it is all pushed into the daemon, controlled by polkit.
Last time I checked the password is stored per user. So unless the network is not unencrypted, the point still stands. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Le 19/06/2011 20:07, Markus Slopianka a écrit :
If there is only a single user account present, logging in automatically is better usability.
and teach extremely bad practice. Even on a one user copputer, allowing anybody passing by to read the content or simply use the computer without asking, trash the config... That's exactly what makes the difference between Windows and Linux: Windows allows all but soon fails to work, Linux ask for some effort but works for ever jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Sonntag 19 Juni 2011, 22:24:22 schrieb jdd:
Le 19/06/2011 20:07, Markus Slopianka a écrit :
If there is only a single user account present, logging in automatically is better usability.
and teach extremely bad practice.
The actual bad practise is to have a non-encrypted /home partition but that's not what this thread is about. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
El 19/06/11 16:24, jdd escribió:
Le 19/06/2011 20:07, Markus Slopianka a écrit :
If there is only a single user account present, logging in automatically is better usability.
and teach extremely bad practice.
You are trying to solve an edge-case, a problematic human behavior with technology that is not designed for that task. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Sunday 19 June 2011 16:46:03 Cristian Rodríguez wrote:
El 19/06/11 16:24, jdd escribió:
Le 19/06/2011 20:07, Markus Slopianka a écrit :
If there is only a single user account present, logging in automatically is better usability.
and teach extremely bad practice.
You are trying to solve an edge-case, a problematic human behavior with technology that is not designed for that task.
Are you really arguing for doing what windows 98 did, when even windows XP defaults to making you log in? Please don't Anders -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/19/2011 07:12 PM, Anders Johansson wrote:
On Sunday 19 June 2011 16:46:03 Cristian Rodríguez wrote:
El 19/06/11 16:24, jdd escribió:
Le 19/06/2011 20:07, Markus Slopianka a écrit :
If there is only a single user account present, logging in automatically is better usability.
and teach extremely bad practice.
You are trying to solve an edge-case, a problematic human behavior with technology that is not designed for that task.
Are you really arguing for doing what windows 98 did, when even windows XP defaults to making you log in?
I wouldn't use Windows as a shining example of usability either. MacOS does autologin when there is only one user defined and offers to disable it when there are multiple users defined. - -Jeff - -- Jeff Mahoney SuSE Labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk4A55YACgkQLPWxlyuTD7In7wCfcjoeIno3Iwuo6ExwjYs/tya8 nqAAn31BkAaqvDFNyyeGaW1aCALvBcD7 =ut1k -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Le 21/06/2011 20:48, Jeff Mahoney a écrit :
I wouldn't use Windows as a shining example of usability either. MacOS does autologin when there is only one user defined and offers to disable it when there are multiple users defined.
so just because others do silly things, we have to do the same? I just learned that it's possible to have autologin with passwd enabled (locked) right after boot, this seems to fix all the problems. Is it possible to have this as default? jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Tuesday, June 21, 2011 05:44:13 PM jdd wrote:
so just because others do silly things, we have to do the same?
It was mentioned few times that user login is not the way to protect your data. That other know that doesn't make them silly.
I just learned that it's possible to have autologin with passwd enabled (locked) right after boot, this seems to fix all the problems.
What problems? You just switched place where login happens, which allows user services to start, but security is not increased for a bit. If you leave computer unattended, who will prevent reboot with Live system and theft of data, installation of malware, and what not? When you come back, you will see your login and think all is fine :) Without login you will at least be aware that anyone can use computer and will not leave it, which is protection from more attack vectors then login alone.
Is it possible to have this as default?
Sure it is :) Anyone can have on computer anything as default, but, please, don't insist that false sense of protection is way to go. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Wed, Jun 22, 2011 at 5:50 AM, Rajko M.
On Tuesday, June 21, 2011 05:44:13 PM jdd wrote:
I just learned that it's possible to have autologin with passwd enabled (locked) right after boot, this seems to fix all the problems.
What problems? You just switched place where login happens, which allows user services to start, but security is not increased for a bit.
If you leave computer unattended, who will prevent reboot with Live system and theft of data, installation of malware, and what not? When you come back, you will see your login and think all is fine :)
Without login you will at least be aware that anyone can use computer and will not leave it, which is protection from more attack vectors then login alone.
Is it possible to have this as default?
Sure it is :)
Anyone can have on computer anything as default, but, please, don't insist that false sense of protection is way to go.
-- Regards, Rajko
Let's be realistic here. Login may not provide as much protection as an encrypted drive, for instance, but it does provide some protection, especially against unsophisticated attackers. There are different levels of attack sophistication and different levels of attacker skill. Most people don't even know what a livecd is, not to mention how they can use one to get unauthorized access to a system. Most attackers are going to focus their efforts on targets that require the least time and effort, since time and effort increase the risk of being caught. So is the protection perfect? No. Would it stop any of us? No. But that doesn't mean that it provides no protection at all. -Todd -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Rajko M. wrote:
On Tuesday, June 21, 2011 05:44:13 PM jdd wrote:
so just because others do silly things, we have to do the same?
It was mentioned few times that user login is not the way to protect your data.
It was also mentioned a few times that that is not the primary concern. Most are "attackers" are not malicious, some are simply accidental or opportunistic. -- Per Jessen, Zürich (18.9°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Le 22/06/2011 05:50, Rajko M. a écrit :
If you leave computer unattended, who will prevent reboot with Live system and theft of data, installation of malware, and what not? When you come back, you will see your login and think all is fine :)
you miss completely the point. The problem is *not* malicious attack, but unwanted use by unexperienced people. Most people don't have any really private content on they computer (else they should use crypted config), but many work and personal config. My (windows user)mother always complain that anybody coming home uses his account and than she do not find what she is accostumate to find. the risk of having important current work deleted or edited is not small. You may also don't want colleague being easily able to read your mail. It needs skills to open a passwd protected box and few people have it. Most unpleasant people simply try to, look upon your shoulder... jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On 06/19/2011 03:43 AM, Stefan Seyfried wrote:
If you just clicked "next", then you also did not password-protect your GRUB setup and did not encrypt your $HOME.
So people can get at your files regardless of the users password. They'll simply boot with "init=/bin/sh", remove the root password and eat your cake.
encrypted /home has been mentioned a few times.. Folks must know that you should really encrypt tmp and swap as well. Also encryption won't save you from the law and court order. I guess you should use hidden double encryption ala truecrypt for that.. I wouldn't know. No encryption here :-) this is all even further off-topic, sorry. just put it in FATE & lets vote on it. -johnm -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (27)
-
Anders Johansson
-
Andreas Jaeger
-
Carlos E. R.
-
Christian Boltz
-
Cristian Rodríguez
-
Felix Miata
-
Greg Freemyer
-
Ista Zahn
-
jdd
-
Jeff Mahoney
-
Joerg Mayer
-
johnmS2
-
Jos Poortvliet
-
Ken Schneider - openSUSE
-
Kim Leyendecker
-
Ludwig Nussel
-
Markus Slopianka
-
Patrick Shanahan
-
Per Jessen
-
phanisvara das
-
Rajko M.
-
Richard (MQ)
-
Sid Boyce
-
Stefan Seyfried
-
Susanne Oberhauser
-
todd rme
-
Will Stephenson