Feature #5589

Have a password-less amnesia account by default

Added by Tails 2013-07-18 07:43:11 . Updated 2015-08-25 14:00:57 .

Status:
Duplicate
Priority:
Elevated
Assignee:
Category:
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

Care must be taken so that a user cannot mistakenly click a "Lock the screen" button while they have not chosen a password. Here’s some ideas:

Password-less amnesia account

Make the amnesia account password-less by default, and have the "Lock screen" feature do something non-dumb in this situation. This has been tested to work well; when no password is set, locking the screen just starts the screensaver with no lock.

Issues

However, making the amnesia account password-less overrides Tails Greeter. TG can be seen for a split second when X starts and then GNOME starts.

This seems to be PAM-related. It has been tried to disable "nullok_secure" for pam_unix.so ("traditional password authentication"), which means that empty passwords are ok when used on secure tty’s. That prevents gdm from skipping Tails Greeter and go directly to GNOME, but then X aborts with PAM errors when clicking "Login" in Tails Greeter. We should research if we can solve this with PAM in some nice way.

An alternative would be to not make the default user password-less by default and instead have Tails Greeter do it in case an administrative password isn’t set. This would work as expected, and can easily be simulated by setting a root password (using rootpw= on the kernel cmdline) and switching out to a console and running passwd -d amnesia right before clicking "Login" in Tails Greeter.

However, if X restarts after the amnesia user’s password has been deleted (so we didn’t set an administrative password), we’d be back in the same situation; Tails Greeter would be skipped, and any options (e.g. locale) selected in it the previous time wouldn’t be selected this time. OTOH I suppose we assume X restarts won’t happen, so it’s not a big issue.


Subtasks


Related issues

Is duplicate of Tails - Feature #8383: Research technical possibilities to implement a password prompt for screen locking Resolved 2014-12-03

History

#1 Updated by Tails 2013-07-18 10:36:54

#2 Updated by intrigeri 2013-07-19 02:49:04

  • Priority changed from Normal to Elevated

#3 Updated by BitingBird 2014-06-09 10:04:40

  • Subject changed from have a password-less amnesia account by default to Have a password-less amnesia account by default
  • Starter set to No

#4 Updated by intrigeri 2014-12-20 12:39:13

  • related to Feature #8383: Research technical possibilities to implement a password prompt for screen locking added

#5 Updated by BitingBird 2015-08-25 14:00:49

  • related to deleted (Feature #8383: Research technical possibilities to implement a password prompt for screen locking)

#6 Updated by BitingBird 2015-08-25 14:00:57

  • Status changed from Confirmed to Duplicate

#7 Updated by BitingBird 2015-08-25 14:01:07

  • is duplicate of Feature #8383: Research technical possibilities to implement a password prompt for screen locking added