guest account
simon
simon3z at yahoo.com
Mon Dec 13 12:47:27 UTC 2004
I was trying to setup a guest account for my box to be used by my friends when
they come at my home and they wanna use internet for a while.
I think that having a limited guest account on a Desktop box is anyway useful
and in the end more safe than letting other people use your account for a
while.
This obviously apply just to home environment.
IHMO the option to have a guest account could be added to firstboot too.
The desired behaviour is:
_ Login just in the Desktop Environment
_ No login on terminal or any remote access (ssh, samba, etc...)
_ No password required
The best solution i have been able to find has been:
Add the user:
# adduser -g users -d /home/guest -s /bin/bash -m guest
Delete the password (maybe not needed):
# passwd -d guest
Lock the account to prevent any access:
# passwd -l guest
Modify the file /etc/pam.d/gdm:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_listfile.so item=user sense=allow
file=/etc/X11/gdm/nopassusers onerr=fail
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
The file /etc/X11/gdm/nopassusers will be kept a list of users that doesnt need
to give a password to login on gdm, so we add guest to it:
# echo guest > /etc/X11/gdm/nopassusers
Improvements:
I'm not sure but maybe the best check order in /etc/pam.d/gdm could be:
#%PAM-1.0
auth required pam_env.so
auth required pam_nologin.so
auth sufficient pam_listfile.so item=user sense=allow
file=/etc/X11/gdm/nopassusers onerr=fail
auth required pam_stack.so service=system-auth
[...]
Since I'm not sure about it i leave that unchanged but i wait for comments
about it.
It can also help have an other X server running so you have not to logout from
your account (you have just to lock the screen), this can be done editing
/etc/X11/gdm/gdm.conf adding in the "[servers]" section the line:
1=Standard
(Note: you switch between servers using Ctrl-Alt-F7 and F8)
I was also trying to set the restricted bash (bash -r) for the guest account
but it obviously dont work since many X scripts are made to run on the full
bash.
Any other improvement is really welcome... in first place those related to
security.
--
Simon.
__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250
More information about the fedora-list
mailing list