Comment 14 for bug 104957

My Hardy desktop box has five user accounts, one of which (visitor) has no password. I can confirm that appending the following to /etc/securetty enables visitor to log in via GDM and successfully unlock gnome-screensaver and switch users.

# X displays
:0
:0.0
:20
:20.0
:21
:21.0
:22
:22.0
:23
:23.0
:24
:24.0

Do display names in this form always belong to local X servers? If so, including a bunch of them in /etc/securetty is probably the Right Thing.

I can also confirm that leaving /etc/securetty unmolested and doing the following instead gets the job done too:

$ cd /etc/pam.d
$ sudo cp common-auth common-auth-loose
$ sudo sed -i s/nullok_secure/nullok/ common-auth-loose
$ sudo sed -i s/common-auth/common-auth-loose/ gdm gnome-screensaver

Is this all kinds of insecure as it stands, or only if I turn on XDMCP?