[Bug 798939] New: PAM prevents "choose password at next login" and "login without password" from working
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=798939 https://bugzilla.novell.com/show_bug.cgi?id=798939#c0 Summary: PAM prevents "choose password at next login" and "login without password" from working Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: x86-64 OS/Version: openSUSE 12.2 Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: mike.catanzaro@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.22+ (KHTML, like Gecko) Chromium/17.0.963.56 Chrome/17.0.963.56 Safari/535.22+ SUSE/12.2 (3.4.2) Epiphany/3.4.2 There's a discussion on this at https://bugzilla.novell.com/show_bug.cgi?id=779408, starting at Comment 14 We basically concluded that our PAM configuration is fairly broken, but none of us know what to do about it. =/ Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=798939
https://bugzilla.novell.com/show_bug.cgi?id=798939#c
Michael Catanzaro
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=798939
https://bugzilla.novell.com/show_bug.cgi?id=798939#c1
--- Comment #1 from Thorsten Kukuk
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=798939
https://bugzilla.novell.com/show_bug.cgi?id=798939#c2
Thorsten Kukuk
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=798939
https://bugzilla.novell.com/show_bug.cgi?id=798939#c3
Michael Catanzaro
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=798939
https://bugzilla.novell.com/show_bug.cgi?id=798939#c4
--- Comment #4 from Vincent Untz
Adjust subject, this is a pam_gnome_keyring only problem.
This has nothing to do with pam_gnome_keyring :-) The issue here is that accountsservice (and the UI in gnome-control-center that exposes features from accountsservice) can let people choose options wrt password management, including "login without password" and "choose password on next login". This doesn't work by using pam_gnome_keyring, but by calling "passwd -d -- $user" (and "chage -d 0 -- $user"), so that's the standard tools. Now, if we don't want to support this in openSUSE, that's features we should disable (both in accountsservice and in the UI). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=798939
https://bugzilla.novell.com/show_bug.cgi?id=798939#c5
--- Comment #5 from Thorsten Kukuk
(In reply to comment #2)
Adjust subject, this is a pam_gnome_keyring only problem.
This has nothing to do with pam_gnome_keyring :-) The issue here is that accountsservice (and the UI in gnome-control-center that exposes features from accountsservice) can let people choose options wrt password management, including "login without password" and "choose password on next login".
"login without password" is not an accountservice from the base system. But if you don't use pam_gnome_keyring, it is possible to enable this feature by calling "pam-config -a --nullok".
This doesn't work by using pam_gnome_keyring, but by calling "passwd -d -- $user" (and "chage -d 0 -- $user"), so that's the standard tools.
GNOME bug. Your conclusion/expectation is wrong. Calling "passwd -d $user" does not allow you to login the next time without password, it only deletes the password of the user. And the second part, changing the password at next login, is working if you enter the old one first and don't delete them.
Now, if we don't want to support this in openSUSE, that's features we should disable (both in accountsservice and in the UI).
It's not a question if we want to support this (we do if you don't use pam_gnome_keyring and calls "pam-config -a --nullok"), it's a matter of if we want to allow an insecure system by default where everybody can login without password. And the decission was, that we don't want to have an insecure system by default. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=798939
https://bugzilla.novell.com/show_bug.cgi?id=798939#c6
--- Comment #6 from Vincent Untz
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=798939
https://bugzilla.novell.com/show_bug.cgi?id=798939#c7
--- Comment #7 from Thorsten Kukuk
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=798939
https://bugzilla.novell.com/show_bug.cgi?id=798939#c8
Michael Calmer
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=798939
https://bugzilla.novell.com/show_bug.cgi?id=798939#c9
Michael Catanzaro
participants (1)
-
bugzilla_noreply@novell.com