[Libosinfo] [PATCH] debian: Configure PAM to allow empty passwords

Zeeshan Ali (Khattak) zeeshanak at gnome.org
Wed Oct 28 16:12:45 UTC 2015 

Hi Lasse,

Thanks for looking into this.

On Wed, Oct 28, 2015 at 3:29 PM, Lasse Schuirmann
<lasse.schuirmann at gmail.com> wrote:
> If this is not configured, GDM will refuse logging in the user on Debian
> Jessie.
>
> This patch was verified to work using GNOME Boxes on a Debian 8.2.0 ISO.
> ---

Thanks for testing it to work but could you please do one more test:
Check against older versions of Debian (the one that you previously
tested it against)?

>  .../install-script/debian.org/debian-preseed-desktop.xml.in | 13 +++++++++++--
>  data/install-script/debian.org/debian-preseed-jeos.xml.in   |  2 +-
>  2 files changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/data/install-script/debian.org/debian-preseed-desktop.xml.in b/data/install-script/debian.org/debian-preseed-desktop.xml.in
> index d9ac99d..e384fae 100644
> --- a/data/install-script/debian.org/debian-preseed-desktop.xml.in
> +++ b/data/install-script/debian.org/debian-preseed-desktop.xml.in
> @@ -188,14 +188,23 @@ d-i finish-install/reboot_in_progress note
>  <xsl:choose>
>    <xsl:when test="config/admin-password = ''">
>  # Delete root password
> -d-i preseed/late_command string in-target passwd -d root
> +d-i preseed/late_command string in-target passwd -d root; in-target sed -i 's/nullok_secure/nullok/' /etc/pam.d/common-auth
>    </xsl:when>
>  </xsl:choose>
>
>  <xsl:choose>
>    <xsl:when test="config/user-password = ''">
>  # Delete user password
> -d-i preseed/late_command string in-target passwd -d <xsl:value-of select="config/user-login"/>
> +d-i preseed/late_command string in-target passwd -d <xsl:value-of select="config/user-login"/>; in-target sed -i 's/nullok_secure/nullok/' /etc/pam.d/common-auth
> +
> +# When we set the late_command the previous one gets overwritten, so if user
> +# and admin password is empty we need to specify that explicitly
> +    <xsl:choose>
> +      <xsl:when test="config/admin-password = ''">
> +# Delete root password
> +d-i preseed/late_command string in-target passwd -d <xsl:value-of select="config/user-login"/>; in-target passwd -d root && in-target sed -i 's/nullok_secure/nullok/' /etc/pam.d/common-auth
> +      </xsl:when>
> +    </xsl:choose>
>    </xsl:when>
>  </xsl:choose>

If I understood correctly, if both user and root passwords are empty,
the above code will add two late_command directives, one for just the
user and the second for both user and admin. Also the pam.d config
will be done twice. We should only have one late_command in such
situation, even if first one would be ignored.

Looks fine to me otherwise.


-- 
Regards,

Zeeshan Ali (Khattak)
________________________________________
Befriend GNOME: http://www.gnome.org/friends/

More information about the Libosinfo mailing list