|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Terminal/shell login with no password
|
Quoting Cosmin Nicolaescu <cos@camelot.homelinux.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, August 20, 2005 8:29 pm, Eric wrote:
> > I need some SysAdmin advice...
> >
> > I have a Red Hat box that I'm installing some software on and the users
> > expect
> > to connect with no password. I'm okay with that since it's not on the
> > network and they are all hard-wired terminals. First I tried zeroing out
> > the
> > password in the neat little gooey (GUI) tool but it won't let me save the
> > user that way. Failing that, I tried to replace the "x" in the password
> > file
> > with nothing. No joy - the login fails without even asking for the
> > password.
> >
> > Does this mean that I have to tinker with PAM? Last time I tried that I
> > froze myself out of the damn box so bad I had to boot into single user
> > mode
> > and un-do my mistake(s). Since then I've just left it alone :-)
> >
> > Thanks,
> > Eric
> > --
>
> Just a quick question on the matter:
>
> how does the software connect? I mean, you're talking about blank
> passwords, and been getting the 'delete the password entries in
> /etc/shadow', but that would mean that the users would have no
> password...at all...unless you have PermitEmptyPasswords no in
> /etc/ssh/sshd_config, anybody will get in your box, if you have a mail
> server, then all imap/pop access will be passwordless...
>
> now, if you don't have any remote services, which means that in order to
> use that software the users would have to come to the machine locally and
> start the software, you might have some better options, but they all
> depend on how the software operates:
>
> 1. you edit /etc/pam.d/login to not check for password
> 2. you add a file to /etc/pam.d/ for this software, and bypass the
> password authentification (this requrires the software to support pam)
> 3. you add the users to a group and use sudo to give the users in that
> group access to the software with NOPASSWD (that would emply that
> everybody would run the software as the same user)
> 4. you have some sort of wrapper script
>
> Again, a description of what the software does and knowing how it works
> would be needed for the best solution, but all I'm trying to make sure is
> that you don't have a system out there on the net with n (where n>0)
> passwordless accounts.
>
> - -Cos
thanks to everybody who has responded. I've been
experimenting.
Meanwhile, here are some details:
The computer is NOT connected to the internet. It
IS connected to a private internal network only.
I would not allow it to run with no passwords if
it was on the internet.
The application uses ncurses - terminal based only.
When the users log on they are sent directly to the
application menu (via .login script for csh).
Yes, they can interrupt the script (ctrl-c) but they
don't know it and even if they did they don't know
what to do with a shell prompt.
Most users connect via "hard line" - serial connected
terminal.
The few remaining users connect via telnet from the
internal network.
So, we're really talking about login not requiring
a password for _some_ user accounts.
I tried on my SuSE system to have an account with
null /etc/password and /etc/shadow entries for the
user. Cannot log in. I believe PAM will be the
solution but I'm not sure how to restrict it to a
subset of the users.
Looks like it's PAM documentation reading time for me.
Hope it's improved since the last time I read it :-P
Thanks,
Eric
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|