Allowing password-less connexions

Hi! I was discussing on GDM's list of implementing a graphical way to
allow users to login through GDM and gnome-screensaver without entering
their password. I'd like to code it and it may well be that users-admin
is the place it should go into. This is a much wanted feature that is
preserving security for remote login and administrative tasks.

It is easy to set up using PAM: you need to modify /etc/pam.d/gdm.conf
so that it contains this:
"auth sufficient pam_listfile.so sense=allow file=/etc/gdm/nopassword
item=user"

What we only need is a GUI to select which users will be listed in this
file. First I thought gdm-setup would be the place to do that, but now I
believe it would be nice to put it in users-admin. See my post to the
GDM list. I'd liek to get your comments about this.


Cheers


-------- Transferred message --------
De: Milan Bouchet-Valat <nalimilan@...>
À: Maarten de Boer <mdeboer@...>
Cc: gdm-list@...
Sujet: Re: [gdm-list] Allowing password-less connexions
Date: Sun, 04 May 2008 18:07:32 +0200

I've just read the answer Martin got last time he raised this issue.
Obviously distro-specific PAM will be a problem - but what would be nice
is that a distribution wanting to enable this feature can do this
easily. For this we would need mostly a GUI, since PAM files are anyway
written by the distros.

After thinking a little more, I though that maybe it would be more
logical and easier to add a checkbox in the users profiles in
users-admin (from gnome-system-tools) allowing to skip password check in
GDM/gnome-screensaver. This option would just write the username to a
file (/etc/gdm-nopasswd.list, /etc/nopasswd.list or so...).
Distributions would have to choose between updating pam.d conf files
accordingly so that this is working, or disabling/hiding this feature
(via a GConf key for example).

Adding this in GDM would require more work and an extended interface,
and moreover the per-user approach may be more friendly than configuring
the login screen (system-wide).

Any comments/criticisms? I'm contacting the g-s-t team to hear what they
think of it, and I CC the gdm-list.

_______________________________________________
system-tools-list mailing list
system-tools-list@...
http://mail.gnome.org/mailman/listinfo/system-tools-list

I am a new reader, so I apologize for any really obvious idiocy upon my part.  Is this feature supposed to make it possible to log in as a regular user and do password-free sudo commands? or is it intended to make a basic user a defacto root-user (which would do away with the sudoers log entry for whatever the user might do).  I can see some point to the former but wouldn't they both be security holes waiting for exploit?  Personally, I see the effortless admin access of Windows to be one of the major flaws of the windows model.  Yes, I can see that this is a voluntary change and everybody should be allowed to endanger their home pc as much as they like, but why would one wish to encourage linux-based bot-nets?

Wolf Halton
Computer Security and Penetration Testing (2007)

Milan Bouchet-Valat  wrote:

Date: Sun, 04 May 2008 18:19:48 +0200
From: Milan Bouchet-Valat
Subject: [system-tools] Allowing password-less connexions
To: system-tools-list@...
Cc: gdm-list
Message-ID: <1209917988.6148.23.camel@milan>
Content-Type: text/plain; charset=UTF-8

Hi! I was discussing on GDM's list of implementing a graphical way to
allow users to login through GDM and gnome-screensaver without entering
their password. ?I'd like to code it and it may well be that users-admin
is the place it should go into. This is a much wanted feature that is
preserving security for remote login and administrative tasks.

It is easy to set up using PAM: you need to modify /etc/pam.d/gdm.conf
so that it contains this:
"auth sufficient pam_listfile.so sense=allow file=/etc/gdm/nopassword
item=user"

What we only need is a GUI to select which users will be listed in this
file. First I thought gdm-setup would be the place to do that, but now I
believe it would be nice to put it in users-admin. See my post to the
GDM list. I'd liek to get your comments about this.


Cheers


-------- Transferred message --------
De: Milan Bouchet-Valat
?: Maarten de Boer
Cc: gdm-list@...
Sujet: Re: [gdm-list] Allowing password-less connexions
Date: Sun, 04 May 2008 18:07:32 +0200

I've just read the answer Martin got last time he raised this issue.
Obviously distro-specific PAM will be a problem - but what would be nice
is that a distribution wanting to enable this feature can do this
easily. For this we would need mostly a GUI, since PAM files are anyway
written by the distros.

After thinking a little more, I though that maybe it would be more
logical and easier to add a checkbox in the users profiles in
users-admin (from gnome-system-tools) allowing to skip password check in
GDM/gnome-screensaver. This option would just write the username to a
file (/etc/gdm-nopasswd.list, /etc/nopasswd.list or so...).
Distributions would have to choose between updating pam.d conf files
accordingly so that this is working, or disabling/hiding this feature
(via a GConf key for example).

Adding this in GDM would require more work and an extended interface,
and moreover the per-user approach may be more friendly than configuring
the login screen (system-wide).

Any comments/criticisms? I'm contacting the g-s-t team to hear what they
think of it, and I CC the gdm-list.



------------------------------

_______________________________________________
system-tools-list mailing list
system-tools-list@...
http://mail.gnome.org/mailman/listinfo/system-tools-list


End of system-tools-list Digest, Vol 38, Issue 1
************************************************

---

Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
_______________________________________________
system-tools-list mailing list
system-tools-list@...
http://mail.gnome.org/mailman/listinfo/system-tools-list

None of both points!

This feature is intended to allow users that an administrator chooses to
skip the password check when logging locally from GDM (graphical login)
or the screensaver. Then, anybody who's already a physical access to the
desktop will be able to get to the account of this user, be him
unpriviledged or admin.

But then a potential attacker cannot go further: even if the user is an
admin, sudo, gksudo and PolicyKit will require him to enter his password
to perform any admin task. This is how this feature is different from
the weak protection that Windows allows. The only thing you can access
with password-less connection is the user files. And this is only
possible on a local approach: remotely, you can still use ssh securely
and without any hole, using your password.


I hope this solves your concerns

_______________________________________________
system-tools-list mailing list
system-tools-list@...
http://mail.gnome.org/mailman/listinfo/system-tools-list

Hi!

On dom, 2008-05-04 at 18:19 +0200, Milan Bouchet-Valat wrote:
Couldn't this be set through a group so that all users in that group
wouldn't need their passwords? users-admin already has code/ui towards
showing certain groups as a privilege the user can acquire, it would
make sense to me having this included there, and the changes in
users-admin would be really trivial too.

Regards,
   Carlos



_______________________________________________
system-tools-list mailing list
system-tools-list@...
http://mail.gnome.org/mailman/listinfo/system-tools-list

Le lundi 12 mai 2008 à 18:51 +0200, Carlos Garnacho a écrit :
> Couldn't this be set through a group so that all users in that group
> wouldn't need their passwords? users-admin already has code/ui towards
> showing certain groups as a privilege the user can acquire, it would
> make sense to me having this included there, and the changes in
> users-admin would be really trivial too.
Good idea, but I don't know whether PAM provides a module that would
allow being member of a specific group to be "sufficient" to
authenticate. I'm going to search for such a module, but if somebody
knows about it...


_______________________________________________
system-tools-list mailing list
system-tools-list@...
http://mail.gnome.org/mailman/listinfo/system-tools-list

Le mardi 13 mai 2008 à 17:52 -0700, Dan Nicholson a écrit : Thank you very much, I guess we have all we need now.

So the plan can be:
- add a way to set users members of a group called "nopasslogin" or something nicer (ideas?)
- add a key in the gconf schemes so that distributions can enable or disable this feature when theyr want
- create templates for pam.d file of gnome-screensaver and gdm

Some questions:
- Using the current framework/tab called Privileges to add or remove users from that group is almost instant. However, login without password is not really a privilege. Is it worth adding a checkbox in the first tab that would do the same task (using hopefully the same code)? It would be easier to set up and more logical (who will go to Privileges to remove the need of a password?)
- Are the pam.d files only provided by distributors or are there templates in GNOME (which I did no find in SVN)?

Any other problems? Else I'll start looking into a (rather little) patch.

[Next message we can maybe remove the CC to gdm-list, much noise for something external. Readers, please follow... ;-)]

_______________________________________________
system-tools-list mailing list
system-tools-list@...
http://mail.gnome.org/mailman/listinfo/system-tools-list

Here's a first version of a patch. Are you using Glade 2? There are so
many differences only adding a single checkbox, I guess this may be
because I saved the file with Glade 3. So I don't post this file here,
I'll try again with the version 2 if you confirm.

I had to move find_group_in_profile from privileges-table.c to
user-profiles.c in order to avoid code duplication. If this is a problem
I can simply copy 6 lines of code inline and revert this.

Another point is oobs_group_new (): is this function creating a new
OobsGroup referring to an already existing *system* group, or is it mean
to create a new system group? (see what I did in the code)

Attached is the same diff, if you prefer. Questions, comments and
criticisms are welcome!

Cheers



gnome-system-tools/src/users$ svn diff .
Index: privileges-table.c
===================================================================
--- privileges-table.c (révision 4234)
+++ privileges-table.c (copie de travail)
@@ -219,29 +219,6 @@
  }
 }
 
-static gboolean
-find_group_in_profile (OobsGroup      *group,
-       GstUserProfile *profile)
-{
- gchar **groups;
- const gchar *name;
-
- if (!profile->groups)
- return FALSE;
-
- groups = profile->groups;
- name = oobs_group_get_name (group);
-
- while (*groups) {
- if (strcmp (*groups, name) == 0)
- return TRUE;
-
- groups++;
- }
-
- return FALSE;
-}
-
 void
 privileges_table_set_from_profile (GstUserProfile *profile)
 {
@@ -262,7 +239,7 @@
     -1);
 
  gtk_list_store_set (GTK_LIST_STORE (child_model), &iter,
-    COL_MEMBER, find_group_in_profile (group, profile),
+    COL_MEMBER, gst_user_profiles_find_group (group, profile),
     -1);
 
  valid = gtk_tree_model_iter_next (child_model, &iter);
Index: user-profiles.c
===================================================================
--- user-profiles.c (révision 4234)
+++ user-profiles.c (copie de travail)
@@ -202,3 +202,26 @@
 
  return priv->default_profile;
 }
+
+gboolean
+gst_user_profiles_find_group (OobsGroup      *group,
+              GstUserProfile *profile)
+{
+ gchar **groups;
+ const gchar *name;
+
+ if (!profile->groups)
+ return FALSE;
+
+ groups = profile->groups;
+ name = oobs_group_get_name (group);
+
+ while (*groups) {
+ if (strcmp (*groups, name) == 0)
+ return TRUE;
+
+ groups++;
+ }
+
+ return FALSE;
+}
Index: user-profiles.h
===================================================================
--- user-profiles.h (révision 4234)
+++ user-profiles.h (copie de travail)
@@ -68,6 +68,8 @@
  const gchar     *profile);
 GstUserProfile*  gst_user_profiles_get_current (GstUserProfiles
*profiles);
 GstUserProfile*  gst_user_profiles_get_default_profile (GstUserProfiles
*profiles);
+gboolean         gst_user_profiles_find_group (OobsGroup        *group,
+                                       GstUserProfile   *profile);
 
 
 G_END_DECLS
Index: user-settings.c
===================================================================
--- user-settings.c (révision 4234)
+++ user-settings.c (copie de travail)
@@ -312,9 +312,11 @@
 user_settings_dialog_new (OobsUser *user)
 {
  OobsUsersConfig *config;
+ OobsGroup passwdless_group;
  GtkWidget *dialog, *widget;
  const gchar *login = NULL;
  gchar *title;
+ gchar *passwdless_group_name;
  gint uid;
 
  dialog = gst_dialog_get_widget (tool->main_dialog,
"user_settings_dialog");
@@ -389,6 +391,18 @@
  widget = gst_dialog_get_widget (tool->main_dialog,
"user_passwd_manual");
  gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON (widget), TRUE);
 
+ /* set password-less login */
+ if (gstconf_get_bool (users, "passwordless_allowed")) {
+ widget = gst_dialog_get_widget (tool->main_dialog,
"user_passwd_passwordless");
+ gtk_widget_set_sensitive (widget, TRUE);
+ passwdless_group_name = gstconf_get_string (users,
"passwordless_group_name");
+ if (!passwdless_group_name)
+ passwdless_group_name = "passwordless";
+ passwdless_group = oobs_group_new (passwdless_group_name);
+ if (gst_profile_find_group (passwdless_group, user)
+ gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON(widget), TRUE);
+ }
+
  if (!login)
  table_set_default_profile (GST_USERS_TOOL (tool));
 
@@ -638,8 +652,10 @@
 {
  GtkWidget *widget;
  OobsGroup *group;
+ OobsGroup *passwdless_group;
  OobsUser *user;
  const gchar *str;
+ gchar *passwdless_group_name;
  gboolean password_changed;
 
  widget = gst_dialog_get_widget (tool->main_dialog,
"user_settings_name");
@@ -690,6 +706,18 @@
  oobs_user_set_password (user, gtk_entry_get_text (GTK_ENTRY
(widget)));
  }
 
+ /* allowed to login without password? */
+ widget = gst_dialog_get_widget (tool->main_dialog,
"user_passwd_passwordless");
+ passwdless_group_name = gstconf_get_string (users,
"passwordless_group_name");
+ if (!passwdless_group_name)
+ passwdless_group_name = "passwordless";
+ passwdless_group = oobs_group_new (passwdless_group_name);
+ if (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON(widget)))
+ oobs_group_add_user (passwdless_group, user);
+ else
+ oobs_group_remove_user (passwdless_group, user);
+ }
+
  group = get_main_group (oobs_user_get_login_name (user));
  oobs_user_set_main_group (user, group);
  g_object_unref (group);



[passwordless.diff]

---

gnome-system-tools/src/users$ svn diff .
Index: privileges-table.c
===================================================================
--- privileges-table.c (révision 4234)
+++ privileges-table.c (copie de travail)
@@ -219,29 +219,6 @@
  }
 }
 
-static gboolean
-find_group_in_profile (OobsGroup      *group,
-       GstUserProfile *profile)
-{
- gchar **groups;
- const gchar *name;
-
- if (!profile->groups)
- return FALSE;
-
- groups = profile->groups;
- name = oobs_group_get_name (group);
-
- while (*groups) {
- if (strcmp (*groups, name) == 0)
- return TRUE;
-
- groups++;
- }
-
- return FALSE;
-}
-
 void
 privileges_table_set_from_profile (GstUserProfile *profile)
 {
@@ -262,7 +239,7 @@
     -1);
 
  gtk_list_store_set (GTK_LIST_STORE (child_model), &iter,
-    COL_MEMBER, find_group_in_profile (group, profile),
+    COL_MEMBER, gst_user_profiles_find_group (group, profile),
     -1);
 
  valid = gtk_tree_model_iter_next (child_model, &iter);
Index: user-profiles.c
===================================================================
--- user-profiles.c (révision 4234)
+++ user-profiles.c (copie de travail)
@@ -202,3 +202,26 @@
 
  return priv->default_profile;
 }
+
+gboolean
+gst_user_profiles_find_group (OobsGroup      *group,
+              GstUserProfile *profile)
+{
+ gchar **groups;
+ const gchar *name;
+
+ if (!profile->groups)
+ return FALSE;
+
+ groups = profile->groups;
+ name = oobs_group_get_name (group);
+
+ while (*groups) {
+ if (strcmp (*groups, name) == 0)
+ return TRUE;
+
+ groups++;
+ }
+
+ return FALSE;
+}
Index: user-profiles.h
===================================================================
--- user-profiles.h (révision 4234)
+++ user-profiles.h (copie de travail)
@@ -68,6 +68,8 @@
  const gchar     *profile);
 GstUserProfile*  gst_user_profiles_get_current (GstUserProfiles *profiles);
 GstUserProfile*  gst_user_profiles_get_default_profile (GstUserProfiles *profiles);
+gboolean         gst_user_profiles_find_group (OobsGroup        *group,
+                                       GstUserProfile   *profile);
 
 
 G_END_DECLS
Index: user-settings.c
===================================================================
--- user-settings.c (révision 4234)
+++ user-settings.c (copie de travail)
@@ -312,9 +312,11 @@
 user_settings_dialog_new (OobsUser *user)
 {
  OobsUsersConfig *config;
+ OobsGroup passwdless_group;
  GtkWidget *dialog, *widget;
  const gchar *login = NULL;
  gchar *title;
+ gchar *passwdless_group_name;
  gint uid;
 
  dialog = gst_dialog_get_widget (tool->main_dialog, "user_settings_dialog");
@@ -389,6 +391,18 @@
  widget = gst_dialog_get_widget (tool->main_dialog, "user_passwd_manual");
  gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON (widget), TRUE);
 
+ /* set password-less login */
+ if (gstconf_get_bool (users, "passwordless_allowed")) {
+ widget = gst_dialog_get_widget (tool->main_dialog, "user_passwd_passwordless");
+ gtk_widget_set_sensitive (widget, TRUE);
+ passwdless_group_name = gstconf_get_string (users, "passwordless_group_name");
+ if (!passwdless_group_name)
+ passwdless_group_name = "passwordless";
+ passwdless_group = oobs_group_new (passwdless_group_name);
+ if (gst_profile_find_group (passwdless_group, user)
+ gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON(widget), TRUE);
+ }
+
  if (!login)
  table_set_default_profile (GST_USERS_TOOL (tool));
 
@@ -638,8 +652,10 @@
 {
  GtkWidget *widget;
  OobsGroup *group;
+ OobsGroup *passwdless_group;
  OobsUser *user;
  const gchar *str;
+ gchar *passwdless_group_name;
  gboolean password_changed;
 
  widget = gst_dialog_get_widget (tool->main_dialog, "user_settings_name");
@@ -690,6 +706,18 @@
  oobs_user_set_password (user, gtk_entry_get_text (GTK_ENTRY (widget)));
  }
 
+ /* allowed to login without password? */
+ widget = gst_dialog_get_widget (tool->main_dialog, "user_passwd_passwordless");
+ passwdless_group_name = gstconf_get_string (users, "passwordless_group_name");
+ if (!passwdless_group_name)
+ passwdless_group_name = "passwordless";
+ passwdless_group = oobs_group_new (passwdless_group_name);
+ if (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON(widget)))
+ oobs_group_add_user (passwdless_group, user);
+ else
+ oobs_group_remove_user (passwdless_group, user);
+ }
+
  group = get_main_group (oobs_user_get_login_name (user));
  oobs_user_set_main_group (user, group);
  g_object_unref (group);

---

_______________________________________________
system-tools-list mailing list
system-tools-list@...
http://mail.gnome.org/mailman/listinfo/system-tools-list

Will somebody answer ? ;-)

Wiating for comments, I made a second version so that:
- I use Glade 2 and provide a clean patch for the GUI
- I only use GConf to enable/disable the password-less feature (not for
the name of the group, which is hard-coded)

Cheers

[passwordless.diff]

---

Index: interfaces/users.glade
===================================================================
--- interfaces/users.glade (révision 4234)
+++ interfaces/users.glade (copie de travail)
@@ -1213,7 +1213,7 @@
       <child>
  <widget class="GtkTable" id="table50">
   <property name="visible">True</property>
-  <property name="n_rows">7</property>
+  <property name="n_rows">8</property>
   <property name="n_columns">4</property>
   <property name="homogeneous">False</property>
   <property name="row_spacing">6</property>
@@ -1459,34 +1459,6 @@
   </child>
 
   <child>
-    <widget class="GtkLabel" id="label237">
-      <property name="visible">True</property>
-      <property name="label" translatable="yes"></property>
-      <property name="use_underline">False</property>
-      <property name="use_markup">False</property>
-      <property name="justify">GTK_JUSTIFY_LEFT</property>
-      <property name="wrap">False</property>
-      <property name="selectable">False</property>
-      <property name="xalign">0</property>
-      <property name="yalign">0.5</property>
-      <property name="xpad">0</property>
-      <property name="ypad">0</property>
-      <property name="ellipsize">PANGO_ELLIPSIZE_NONE</property>
-      <property name="width_chars">-1</property>
-      <property name="single_line_mode">False</property>
-      <property name="angle">0</property>
-    </widget>
-    <packing>
-      <property name="left_attach">0</property>
-      <property name="right_attach">1</property>
-      <property name="top_attach">1</property>
-      <property name="bottom_attach">7</property>
-      <property name="x_options">fill</property>
-      <property name="y_options"></property>
-    </packing>
-  </child>
-
-  <child>
     <widget class="GtkLabel" id="label238">
       <property name="visible">True</property>
       <property name="label" translatable="yes"></property>
@@ -1608,6 +1580,57 @@
       <property name="y_options"></property>
     </packing>
   </child>
+
+  <child>
+    <widget class="GtkCheckButton" id="user_passwd_passwdless">
+      <property name="visible">True</property>
+      <property name="can_focus">True</property>
+      <property name="label" translatable="yes">Don't ask for password at _login</property>
+      <property name="use_underline">True</property>
+      <property name="relief">GTK_RELIEF_NORMAL</property>
+      <property name="focus_on_click">True</property>
+      <property name="active">False</property>
+      <property name="sensitive">False</property>
+      <property name="inconsistent">False</property>
+      <property name="draw_indicator">True</property>
+    </widget>
+    <packing>
+      <property name="left_attach">1</property>
+      <property name="right_attach">4</property>
+      <property name="top_attach">7</property>
+      <property name="bottom_attach">8</property>
+      <property name="x_options">fill</property>
+      <property name="y_options"></property>
+    </packing>
+  </child>
+
+  <child>
+    <widget class="GtkLabel" id="label237">
+      <property name="visible">True</property>
+      <property name="label" translatable="yes"></property>
+      <property name="use_underline">False</property>
+      <property name="use_markup">False</property>
+      <property name="justify">GTK_JUSTIFY_LEFT</property>
+      <property name="wrap">False</property>
+      <property name="selectable">False</property>
+      <property name="xalign">0</property>
+      <property name="yalign">0.5</property>
+      <property name="xpad">0</property>
+      <property name="ypad">0</property>
+      <property name="ellipsize">PANGO_ELLIPSIZE_NONE</property>
+      <property name="width_chars">-1</property>
+      <property name="single_line_mode">False</property>
+      <property name="angle">0</property>
+    </widget>
+    <packing>
+      <property name="left_attach">0</property>
+      <property name="right_attach">1</property>
+      <property name="top_attach">1</property>
+      <property name="bottom_attach">8</property>
+      <property name="x_options">fill</property>
+      <property name="y_options"></property>
+    </packing>
+  </child>
  </widget>
  <packing>
   <property name="padding">0</property>
Index: src/users/privileges-table.c
===================================================================
--- src/users/privileges-table.c (révision 4234)
+++ src/users/privileges-table.c (copie de travail)
@@ -219,29 +219,6 @@
  }
 }
 
-static gboolean
-find_group_in_profile (OobsGroup      *group,
-       GstUserProfile *profile)
-{
- gchar **groups;
- const gchar *name;
-
- if (!profile->groups)
- return FALSE;
-
- groups = profile->groups;
- name = oobs_group_get_name (group);
-
- while (*groups) {
- if (strcmp (*groups, name) == 0)
- return TRUE;
-
- groups++;
- }
-
- return FALSE;
-}
-
 void
 privileges_table_set_from_profile (GstUserProfile *profile)
 {
@@ -262,7 +239,7 @@
     -1);
 
  gtk_list_store_set (GTK_LIST_STORE (child_model), &iter,
-    COL_MEMBER, find_group_in_profile (group, profile),
+    COL_MEMBER, gst_user_profiles_find_group (group, profile),
     -1);
 
  valid = gtk_tree_model_iter_next (child_model, &iter);
Index: src/users/user-profiles.c
===================================================================
--- src/users/user-profiles.c (révision 4234)
+++ src/users/user-profiles.c (copie de travail)
@@ -202,3 +202,26 @@
 
  return priv->default_profile;
 }
+
+gboolean
+gst_user_profiles_find_group (OobsGroup      *group,
+              GstUserProfile *profile)
+{
+ gchar **groups;
+ const gchar *name;
+
+ if (!profile->groups)
+ return FALSE;
+
+ groups = profile->groups;
+ name = oobs_group_get_name (group);
+
+ while (*groups) {
+ if (strcmp (*groups, name) == 0)
+ return TRUE;
+
+ groups++;
+ }
+
+ return FALSE;
+}
Index: src/users/user-profiles.h
===================================================================
--- src/users/user-profiles.h (révision 4234)
+++ src/users/user-profiles.h (copie de travail)
@@ -68,6 +68,8 @@
  const gchar     *profile);
 GstUserProfile*  gst_user_profiles_get_current (GstUserProfiles *profiles);
 GstUserProfile*  gst_user_profiles_get_default_profile (GstUserProfiles *profiles);
+gboolean         gst_user_profiles_find_group (OobsGroup        *group,
+                                       GstUserProfile   *profile);
 
 
 G_END_DECLS
Index: src/users/user-settings.c
===================================================================
--- src/users/user-settings.c (révision 4234)
+++ src/users/user-settings.c (copie de travail)
@@ -312,6 +312,7 @@
 user_settings_dialog_new (OobsUser *user)
 {
  OobsUsersConfig *config;
+ OobsGroup passwdless_group;
  GtkWidget *dialog, *widget;
  const gchar *login = NULL;
  gchar *title;
@@ -389,6 +390,15 @@
  widget = gst_dialog_get_widget (tool->main_dialog, "user_passwd_manual");
  gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON (widget), TRUE);
 
+ /* set password-less login */
+ if (gstconf_get_bool (users, "enable_passwordless")) {
+ widget = gst_dialog_get_widget (tool->main_dialog, "user_passwd_passwdless");
+ gtk_widget_set_sensitive (widget, TRUE);
+ passwdless_group = oobs_group_new (PASSWDLESS_GROUP);
+ if (gst_profile_find_group (passwdless_group, user)
+ gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON(widget), TRUE);
+ }
+
  if (!login)
  table_set_default_profile (GST_USERS_TOOL (tool));
 
@@ -638,6 +648,7 @@
 {
  GtkWidget *widget;
  OobsGroup *group;
+ OobsGroup *passwdless_group;
  OobsUser *user;
  const gchar *str;
  gboolean password_changed;
@@ -690,6 +701,15 @@
  oobs_user_set_password (user, gtk_entry_get_text (GTK_ENTRY (widget)));
  }
 
+ /* allowed to login without password? */
+ widget = gst_dialog_get_widget (tool->main_dialog, "user_passwd_passwdless");
+ passwdless_group = oobs_group_new (PASSWDLESS_GROUP);
+ if (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON(widget)))
+ oobs_group_add_user (passwdless_group, user);
+ else
+ oobs_group_remove_user (passwdless_group, user);
+ }
+
  group = get_main_group (oobs_user_get_login_name (user));
  oobs_user_set_main_group (user, group);
  g_object_unref (group);
Index: src/users/user-settings.h
===================================================================
--- src/users/user-settings.h (révision 4234)
+++ src/users/user-settings.h (copie de travail)
@@ -24,6 +24,8 @@
 #ifndef __USER_SETTINGS_H
 #define __USER_SETTINGS_H
 
+#define PASSWDLESS_GROUP "passwordless"
+
 gboolean        user_delete                      (GtkTreeModel *model,
   GtkTreePath *path);
 GtkWidget *     user_settings_dialog_new         (OobsUser *user);

---

_______________________________________________
system-tools-list mailing list
system-tools-list@...
http://mail.gnome.org/mailman/listinfo/system-tools-list