Eric on 19 Aug 2005 14:41:32 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Terminal/shell login with no password


Quoting Cosmin Nicolaescu <cos@camelot.homelinux.com>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Sat, August 20, 2005 8:29 pm, Eric wrote:
> > I need some SysAdmin advice...
> >
> > I have a Red Hat box that I'm installing some software on and the users
> > expect
> > to connect with no password.  I'm okay with that since it's not on the
> > network and they are all hard-wired terminals.  First I tried zeroing out
> > the
> > password in the neat little gooey (GUI) tool but it won't let me save the
> > user that way.  Failing that, I tried to replace the "x" in the password
> > file
> > with nothing.  No joy - the login fails without even asking for the
> > password.
> >
> > Does this mean that I have to tinker with PAM?   Last time I tried that I
> > froze myself out of the damn box so bad I had to boot into single user
> > mode
> > and un-do my mistake(s).  Since then I've just left it alone :-)
> >
> > Thanks,
> > Eric
> > --
> 
> Just a quick question on the matter:
> 
> how does the software connect? I mean, you're talking about blank
> passwords, and been getting the 'delete the password entries in
> /etc/shadow', but that would mean that the users would have no
> password...at all...unless you have PermitEmptyPasswords no in
> /etc/ssh/sshd_config, anybody will get in your box, if you have a mail
> server, then all imap/pop access will be passwordless...
> 
> now, if you don't have any remote services, which means that in order to
> use that software the users would have to come to the machine locally and
> start the software, you might have some better options, but they all
> depend on how the software operates:
> 
> 1. you edit /etc/pam.d/login to not check for password
> 2. you add a file to /etc/pam.d/ for this software, and bypass the
> password authentification (this requrires the software to support pam)
> 3. you add the users to a group and use sudo to give the users in that
> group access to the software with NOPASSWD (that would emply that
> everybody would run the software as the same user)
> 4. you have some sort of wrapper script
> 
> Again, a description of what the software does and knowing how it works
> would be needed for the best solution, but all I'm trying to make sure is
> that you don't have a system out there on the net with n (where n>0)
> passwordless accounts.
> 
> - -Cos

thanks to everybody who has responded.  I've been 
experimenting.

Meanwhile, here are some details:

The computer is NOT connected to the internet.  It
   IS connected to a private internal network only.
   I would not allow it to run with no passwords if
   it was on the internet.

The application uses ncurses - terminal based only.

When the users log on they are sent directly to the 
   application menu (via .login script for csh).

Yes, they can interrupt the script (ctrl-c) but they 
   don't know it and even if they did they don't know 
   what to do with a shell prompt.

Most users connect via "hard line" - serial connected 
   terminal.

The few remaining users connect via telnet from the 
   internal network.

So, we're really talking about login not requiring 
a password for _some_ user accounts.

I tried on my SuSE system to have an account with 
null /etc/password and /etc/shadow entries for the 
user.  Cannot log in.  I believe PAM will be the 
solution but I'm not sure how to restrict it to a
subset of the users.  

Looks like it's PAM documentation reading time for me.
Hope it's improved since the last time I read it :-P

Thanks,
Eric


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug