[opensuse] anyone can login without a password
13.1 Hi Anyone can login locally to my laptop without a password. pam: auth required pam_env.so auth optional pam_gnome_keyring.so auth sufficient pam_unix2.so use_first_pass auth sufficient pam_sss.so use_first_pass session required pam_limits.so session required pam_unix2.so session optional pam_sss.so session optional pam_umask.so session optional pam_systemd.so session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm I've looked in yast user management and passwordless logons is not checked. I've tried resetting my password. This is happening with /etc/pasword logins only. I I connect to the domain as my domain user, sssd does not log me in without the password. How do I get local logins to require a password? Thanks, L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/26/2014 07:27 AM, lynn wrote:
13.1 Hi Anyone can login locally to my laptop without a password.
pam: auth required pam_env.so auth optional pam_gnome_keyring.so auth sufficient pam_unix2.so use_first_pass auth sufficient pam_sss.so use_first_pass session required pam_limits.so session required pam_unix2.so session optional pam_sss.so session optional pam_umask.so session optional pam_systemd.so session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm
I've looked in yast user management and passwordless logons is not checked. I've tried resetting my password. This is happening with /etc/pasword logins only. I I connect to the domain as my domain user, sssd does not log me in without the password.
How do I get local logins to require a password?
What file are you quoting above? I have no file with that contents in my 13.1 /etc/pam.d/* What kind of login are you taking about here? CLI/text or GUI? That last line seems to imply a GUI. If this was a non-standard, hand crafted, custom to your system PAM then please explain what your design/use-case requirements are for this very specific context (I take it that this is laptop only) and why you chose those modules and that order. I look, for example, at '/etc/pam.d/login' and '/etc/pam.d/xdm', the text mode and gui mode login, and see that they both require auth include common-auth account include common-account password include common-password session include common-session I note in particular that 'common-password' has password required pam_unix.so I realise your first two lines, for example, are cut-and-paste from common-auth but I see no 'password' or 'account' in any of your above. Is there a specific reason you have chose to omit it? For that matter is there a particular reason you've chosen to deviate so heavily from the 'include' of the 'common-*' style? Perhaps your policy of customizing and deviating from the out-of-the-box has not served well in this case. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 2014-06-26 at 08:11 -0400, Anton Aylward wrote:
On 06/26/2014 07:27 AM, lynn wrote:
13.1 Hi Anyone can login locally to my laptop without a password.
pam: auth required pam_env.so auth optional pam_gnome_keyring.so auth sufficient pam_unix2.so use_first_pass auth sufficient pam_sss.so use_first_pass session required pam_limits.so session required pam_unix2.so session optional pam_sss.so session optional pam_umask.so session optional pam_systemd.so session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm
I've looked in yast user management and passwordless logons is not checked. I've tried resetting my password. This is happening with /etc/pasword logins only. I I connect to the domain as my domain user, sssd does not log me in without the password.
How do I get local logins to require a password?
What file are you quoting above? I have no file with that contents in my 13.1 /etc/pam.d/*
What kind of login are you taking about here? CLI/text or GUI? That last line seems to imply a GUI.
If this was a non-standard, hand crafted, custom to your system PAM then please explain what your design/use-case requirements are for this very specific context (I take it that this is laptop only) and why you chose those modules and that order.
I look, for example, at '/etc/pam.d/login' and '/etc/pam.d/xdm', the text mode and gui mode login, and see that they both require
auth include common-auth account include common-account password include common-password session include common-session
I note in particular that 'common-password' has
password required pam_unix.so
I realise your first two lines, for example, are cut-and-paste from common-auth but I see no 'password' or 'account' in any of your above. Is there a specific reason you have chose to omit it? No. Here is the complete stack:
auth required pam_env.so auth optional pam_gnome_keyring.so auth sufficient pam_unix2.so use_first_pass auth sufficient pam_sss.so use_first_pass session required pam_limits.so session required pam_unix2.so session optional pam_sss.so session optional pam_umask.so session optional pam_systemd.so session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm account requisite pam_unix2.so account sufficient pam_localuser.so account required pam_sss.so use_first_pass password requisite pam_pwcheck.so nullok cracklib password optional pam_gnome_keyring.so use_authtok password sufficient pam_unix2.so use_authtok nullok password required pam_sss.so use_authtok
For that matter is there a particular reason you've chosen to deviate so heavily from the 'include' of the 'common-*' style? No. Just trying to cut out all the stack comments.
Perhaps your policy of customizing and deviating from the out-of-the-box has not served well in this case.
Standard 13.1 box which has sssd added via: pam-config Thanks, L x
-- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Thu, 26 Jun 2014 13:27:52 +0200 lynn <lynn@steve-ss.com> пишет:
13.1 Hi Anyone can login locally to my laptop without a password.
pam: auth required pam_env.so auth optional pam_gnome_keyring.so auth sufficient pam_unix2.so use_first_pass auth sufficient pam_sss.so use_first_pass
You do not have any required module (pam_env is unlikely to fail and has nothing to do with authentication anyway) which means that it can never fail whatever happens. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 2014-06-26 at 19:20 +0400, Andrey Borzenkov wrote:
В Thu, 26 Jun 2014 13:27:52 +0200 lynn <lynn@steve-ss.com> пишет:
13.1 Hi Anyone can login locally to my laptop without a password.
pam: auth required pam_env.so auth optional pam_gnome_keyring.so auth sufficient pam_unix2.so use_first_pass auth sufficient pam_sss.so use_first_pass
You do not have any required module (pam_env is unlikely to fail and has nothing to do with authentication anyway) which means that it can never fail whatever happens.
Got it. Thanks: auth required pam_sss.so use_first_pass L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Andrey Borzenkov -
Anton Aylward -
lynn