On Wed, Jul 30, 2008 at 10:13:01PM -0000, Sebastien Bacher wrote:
> the xdmcp browser and standard login greeter are different interface so
> it would probably be possible to special cases non password local logins
> if somebody really wants to work on this nonsecure option
Do xdmcp and the standard greeter declare separate PAM service names?
Otherwise it's still not practical to do this by default without introducing
a security hole, because unless the two can be distinguished by "tty" (i.e.,
X display) values, the PAM behavior is going to be either insecure, or block
out this use case.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>
On Wed, Jul 30, 2008 at 10:13:01PM -0000, Sebastien Bacher wrote:
> the xdmcp browser and standard login greeter are different interface so
> it would probably be possible to special cases non password local logins
> if somebody really wants to work on this nonsecure option
Do xdmcp and the standard greeter declare separate PAM service names?
Otherwise it's still not practical to do this by default without introducing
a security hole, because unless the two can be distinguished by "tty" (i.e.,
X display) values, the PAM behavior is going to be either insecure, or block
out this use case.
-- www.debian. org/
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://
<email address hidden> <email address hidden>