If you run "passwd -d username" or go into the User Accounts panel and set "Do not use password for this account", do those things work?

I don't want to remove passwords from my accounts - there's a whole discussion about why that's not a good thing here:
http://markmail.org/message/2h5isyf3kip6updb#query:+page:1+mid:pa6lrzmwdtbol5it+state:results
I'm sure "passwd -d username" would work, but do you want me to check?  

Under User Accounts ($ gnome-control-center > User Accounts) there is no option to set "Do not use password for this account".  There is only an option for "Automatic Login" which works, but it's what it says it is and doesn't allow for choosing multiple users from the gdm greeter, ie it simply logs into 1 account only on system boot.

I don't see anything in that thread that says why it's a bad idea? (could be I missed it when I was skimming). I'm curious why you don't like it.

In User Accounts, click on your password (the bullets) and then for Action choose "Do not use password for this account".  That's the main supported way to get what you're wanting.

I believe it does passwd -d under the hood, though, so if you think that's a bad idea, this isn't going to be a sufficient solution for you.

Can you attach your pam configuration?

Created attachment 213886 [details]
pic of "Changing password" dia

Created attachment 213887 [details]
pic of "Changing password" dia with no Action menu

http://markmail.org/message/2h5isyf3kip6updb#query:+page:1+mid:pa6lrzmwdtbol5it+state:results (paras. 1-3):
Hi there!

Quite a long time ago, I opened bug 414862 [1] about implementing a feature in GDM that would allow to skip password checking for users specified in the gdm-setup. This would allow desktop users to easily get into their account since they don't really need a password. But at the same time we would not lose all security since sudo and PolicyKit would still ask for the password for administration tasks, and ssh connexions could work too.

This solution is thus much better than the current 'passwd -d' workaround, which doesn't work by default in many distributions. KDM already implements this (see the link in the bug report) and many people are used to the Windows behavior of no password at all - which is not secure.
...

Not secure = not good idea = bad idea?


> In User Accounts, click on your password (the bullets) and then for Action
> choose "Do not use password for this account".  That's the main supported way
> to get what you're wanting.
So, should Bug 41482 be reopened - or is this regression considered a feature?


Also, attached screen shots of "$ gnome-control-center > User Accounts > Change password for".  There's no "Do not use password for this account" option, but I assume "Login without password" option from the Action menu is the same?

Two screen shots attached because the Action drop down menu seems to come and go...  Should another bug be opened for that?

Yeah, this was an interesting feature in my opinion, that's why I implemented it. But it only depends on one line in the PAM configuration file for GDM, and this line is still present upstream[1]. The problem is only in distributions that ship a PAM config file that doesn't include this line. I don't think Fedora ever supported this feature, and actually I'm only aware of Ubuntu supporting this out of the box. Are you sure there was a regression in any distribution?

Another issue is that users-admin from gnome-system-tools supported the nopasswdlogin group with the "Allow login without password" option, but the new user accounts gnome-control-center applet doesn't. I filed bug 633015 a long time ago, but somebody would need to work on this, and I don't really have the time to do this now.


1: http://git.gnome.org/browse/gdm/tree/data/gdm

Umm, attached is my gdm pam config (omitted last post, sorry Ray).

I was about to reply to Milan's post that the failure seemed to be with gdm and not distribution specific (re krisse7's archlinux forum post referred to in opening comment above).  BUT, following Milan's link to the default gdm-password, I replaced my (attached) edited fedora gdm-password with the default and... it works...

Hmm, perhaps someone could help me with the pertinent distinction between my gdm-password and the default?  And, just before I get a rtfm response, I do think I have followed the gdm manual - so, perhaps this is a bug with the relevant words in the manual rather than gdm?

I notice in the archlinux wiki:
https://wiki.archlinux.org/index.php/GDM#Passwordless_login
There is a note about adding the nopasswdlogin line right before the first line that contains "pam_unix.so" in it.  And there is no pam_unix.so in the currant gdm-password?

Created attachment 213926 [details]
edited fedora pam gdm-password file

(In reply to comment #8)
> Umm, attached is my gdm pam config (omitted last post, sorry Ray).
> 
> I was about to reply to Milan's post that the failure seemed to be with gdm and
> not distribution specific (re krisse7's archlinux forum post referred to in
> opening comment above).  BUT, following Milan's link to the default
> gdm-password, I replaced my (attached) edited fedora gdm-password with the
> default and... it works...
> 
> Hmm, perhaps someone could help me with the pertinent distinction between my
> gdm-password and the default?  And, just before I get a rtfm response, I do
> think I have followed the gdm manual - so, perhaps this is a bug with the
> relevant words in the manual rather than gdm?
No, the problem is that distributions (Arch here) do not ship configuration files provided by GDM. So it's up to them to patch the docs or make it work as intended.

> I notice in the archlinux wiki:
> https://wiki.archlinux.org/index.php/GDM#Passwordless_login
> There is a note about adding the nopasswdlogin line right before the first line
> that contains "pam_unix.so" in it.  And there is no pam_unix.so in the currant
> gdm-password?
This line is imported from other generic PAM config files. For example, in the upstream GDM file, there is:
auth       include     system-auth
and in Arch, there is:
auth        substack      password-auth

So have a look at your password-auth file.

I'm closing the bug as the problem can only be fixed in Arch.

Milan, perhaps I have caused some confusion with my reference to Arch - I'm running fedora; krisse7 seems to be running Arch.

I realise what you say of Arch is probably equally applicable to fedora, but before I open a bug in fedora/red hat that nopasswdlogin should be implemented as a more secure alternative to "passwd -d username", it would be good to be able to offer a solution.

To confuse things (me) fedora includes a number of pam gdm* files, including the default fedora pam gdm and gdm-password, attached.  From what you say above re Arch (in deed, fedora's pam password-auth contains "pam_unix.so") is my edited pam gdm-password a complete solution, attached as gdm-password.proposed - or should pam gdm need editing or anything else?

Many thanks.

Created attachment 213939 [details]
default fedora pam gdm file

Created attachment 213940 [details]
default fedora pam gdm-password file

Created attachment 213941 [details]
proposed fedora pam gdm-password file

I'm also using Fedora, so this makes things a little simpler. I don't see a /etc/pam.d/gdm file on F17 here, but the gdm-password file you propose in Comment 14 makes sense to me. Anyway, this change will be triple-checked by security experts in Fedora if they accept it, and they'll know better than us.

we're actually moving the pam files upstream. see bug 675085

Created redhat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=970597