https://bugzilla.novell.com/show_bug.cgi?id=798939 https://bugzilla.novell.com/show_bug.cgi?id=798939#c1 --- Comment #1 from Thorsten Kukuk 2013-01-17 06:36:05 UTC --- No, our configuration works exactly as designed and you are mixing two things: authentication and changing the password. The first one is independent of the second one. Fedora seems to allow to login with an empty password, we don't do that for security reasons. This was a strategic distribution decission. But to set the password on the first login, you need to allow login with empty password. Between, setting password only on the first login is really dangerous, since everybody can login with that account and set his own password. About pam_gnome_keyring.so: This is coming from the GNOME people, not from PAM maintainers. Don't use GNOME and that problem is solved, too. Or ask the GNOME people to find a better solution. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=798939 https://bugzilla.novell.com/show_bug.cgi?id=798939#c3 Michael Catanzaro changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vuntz@suse.com --- Comment #3 from Michael Catanzaro 2013-01-17 21:54:26 UTC --- Hm, I didn't realize we didn't support empty passwords. Well that's a good reason for them to be broken! I guess if we don't allow login without password, then the presence of a login without password option is itself a problem, and there's no way "choose password at next login" can ever work. I don't think GNOME is going to change anything since, as you said, there's no way it can be made to work without accepting empty passwords, which is a feature of the GNOME desktop. So we need to support it or manually remove it. I guess our two choices are: * Have GDM simply ignore the global PAM settings * Remove "login without password" and "choose password on next login" The first seems wrong, the second requires patching gnome-control-center forever. Am I missing any options; Vincent, which is best? Thorsten, can you explain clearly what if anything is wrong with pam_gnome_keyring? My understanding of the problem is that pam_unix2 fails in auth because it does not have nullok; this seems unrelated to gnome_keyring? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=798939 https://bugzilla.novell.com/show_bug.cgi?id=798939#c5 --- Comment #5 from Thorsten Kukuk 2013-01-18 08:49:38 UTC --- (In reply to comment #4)

(In reply to comment #2)

...

Adjust subject, this is a pam_gnome_keyring only problem.

This has nothing to do with pam_gnome_keyring :-) The issue here is that accountsservice (and the UI in gnome-control-center that exposes features from accountsservice) can let people choose options wrt password management, including "login without password" and "choose password on next login".

"login without password" is not an accountservice from the base system. But if you don't use pam_gnome_keyring, it is possible to enable this feature by calling "pam-config -a --nullok".

This doesn't work by using pam_gnome_keyring, but by calling "passwd -d -- $user" (and "chage -d 0 -- $user"), so that's the standard tools.

GNOME bug. Your conclusion/expectation is wrong. Calling "passwd -d $user" does not allow you to login the next time without password, it only deletes the password of the user. And the second part, changing the password at next login, is working if you enter the old one first and don't delete them.

Now, if we don't want to support this in openSUSE, that's features we should disable (both in accountsservice and in the UI).

It's not a question if we want to support this (we do if you don't use pam_gnome_keyring and calls "pam-config -a --nullok"), it's a matter of if we want to allow an insecure system by default where everybody can login without password. And the decission was, that we don't want to have an insecure system by default. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=798939 https://bugzilla.novell.com/show_bug.cgi?id=798939#c7 --- Comment #7 from Thorsten Kukuk 2013-01-18 10:05:38 UTC --- Ok, then the two bugs are: accountservice that it calls "passwd -d" for "login without password". That's bogus. It should be called "Delete current password". But this doesn't make sense, too. pam_gnome_keyring: integration into pam-config/pam stack was done in a way, that it breaks login without password if you call "pam-config -a --nullok". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=798939 https://bugzilla.novell.com/show_bug.cgi?id=798939#c9 Michael Catanzaro changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE --- Comment #9 from Michael Catanzaro 2013-01-25 20:59:00 UTC --- We basically have two bugs for this issue now, let's keep the discussion in one place. *** This bug has been marked as a duplicate of bug 779408 *** http://bugzilla.novell.com/show_bug.cgi?id=779408 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.