gdm Create User
Steve Grubb
sgrubb at redhat.com
Sun Oct 7 11:42:23 UTC 2007
On Saturday 06 October 2007 18:18:23 Simo Sorce wrote:
> > Whenever gdm receives an unknown username, *automatically* create
> > that account as new, and log them in.
>
> Normally you can't distinguish between 'Authentication Failed' or 'User
> unknown' for security reasons. Leaking the information that a user
> exists or not is considered bad. Your proposal would make it easy to
> leak the information.
>
> If you consider that GDM can be reached via a network using XDMCP, that
> means that you may expos an automated way to discover valid usernames on
> a box.
I completely agree here. From a security perspective, this is a bad idea.
There is also an audit trail that has certain requirements, too. We need to
know the real user ID that is creating the account. (Its not root.) Root is a
shared account and we need the loginuid of the person creating the account.
So, they really do need to log in so that a proper session is setup and all
the things we need for the audit trail is filled in.
-Steve
More information about the fedora-devel-list
mailing list