Per Jessen wrote:
Kim Leyendecker wrote:
Am 20.06.2011 17:35, schrieb phanisvara das:
not correct. the OP, Kim Leyendecker, asked for the default behavior of openSUSE to be changed; he did not ask for info. how to change it afterwards.
right.
I asked if it could be changed to the non-auto-log-in case, so that you need to give on your password when you´re locking in.
In general it should be just a present for such *stupid* computer-dealers like my one was, who are only click on next and present it as your installed system.
I think 99% of our users who didn´t care if the log in is automatically by default. But these 1% who care are still their. And I dare to say that these 99% also didn´t care if they suddenly should give on their password, whereas the 1% are lucky with the change, so that, in the best case, 100% are still lucky about their system.
So, what speaks against changing the default choose? :-)
It seems to me that the current setup is a good compromise and probably needs no change. For a personal single-user machine, auto-login may be bad security practice, but it's good for usability. The minute the machine goes multi-user (via yast), the owner/admin is alerted about the auto-login and offered to disable it.
Logging in as root would be bad security practice. The autologin is irrelevant as long as you don't also lock down your BIOS¹ and boot loader and make sure that other OS can't access the Linux partition. That still doesn't help against an attacker that can open the casing though. So if you are concerned about privacy use disk encryption. You can even combine that with autologin to avoid having to type two passwords at boot. An argument that was not brought up in this discussion was password strength. I'd argue that having autologin decreases the chance of users picking silly but easy to type passwords like "12345". Fortunately that's not so much of a concern nowadays anymore with sshd off and firewall on by default though. So IMO having autologin on is a nice feature. Nevertheless there is room for further improvements: - lock down the bootloader by default. Maybe grub could be made to read the root password from /etc/shadow to avoid having yet another one. - allow to have local only accounts. Such users do not need a password at all. Only the display manager should be allowed to log them in. Ie no ssh, even if sshd is on for other accounts. - allow to map LUKS key slots to user names so the system would log in different users automatically depending on the passphrase that was typed to unlock the encrypted disk. cu Ludwig [1] BIOSes used to have master passwords though so locking down the BIOS actually doesn't work. I don't know if that's still the case on modern machines though. -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org