[kde-freebsd] issues with most recent KDE

Michael Nottebrock lofi at freebsd.org
Wed Jul 11 18:30:27 CEST 2007 

On Wednesday, 11. July 2007, Mikhail T. wrote:
> Michael Nottebrock wrote:
> > The nice gui really does nothing but let kdm use a different pam service
> > for those users selected for passwordless logins.
>
> The nice GUI puts the proper NoPasswordUserList=... into kdmrc. If kdm
> (mis)interprets that as a need to look for some other (nonexistant!) PAM
> config file, that's a bug in KDM...

It's not a bug, it's a poorly documented feature. :)

> > As for automatically installing the service definition: There is no
> > mechanism in ports to automatically do this, doing it in the port would
> > be quite ugly and intrusive (I don't think any port should diddle with
> > anything in /etc/pam.d, much less a kde port) and finally, passwordless
> > convenience logins and a pam service definition that doesn't check
> > passwords are such a security hazard that I reckon it's okay to give
> > users who really want to use it anyway the bit of extra trouble to look
> > at the FAQ. :)
>
> This is a generally paternalistic view. It is also wrong in this
> particular case. KDM, which does not even listen for remote connections
> by default is quite safe.

My point was more that passwordless logins are unsafe, but the *real* point 
was that IMO installing PAM service definitions should be handled by 
ports(.mk). 

With FreeBSD 4.x now desupported, handling it on our own in the kdebase port 
has become at least feasible (on 4.x, this would have reqired in-place 
editing of the system pam.conf file), so I might give up waiting and just do 
it there anyway at some point. It's not high on my to-do list though for the 
reasons mentioned in my last reply (note to mailing list audience: Patches 
welcome, must cleanly handle existing definitions and work in the binary 
package as well).

> There is also the question of accounts, without passwords at all. KDM
> rejects such users, even when told not to. So does sshd. Amending sshd's
> behavior is easy -- set PermitEmptyPasswords in /etc/ssh/sshd_config.

That's not quite correct. KDM uses PAM for authentication. So does sshd, by 
default. The PermitEmptyPasswords option for sshd only works if you turn on 
sshd's legacy built-in password authentication.

> Amending kdm's is undully difficult.

You can easily allow empty passwords. One way is to have the users themselves 
run passwd and set their password empty. This will work in both kdm and ssh. 
But you can also make kdm and ssh accept user accounts with an empty password 
field: Just add the "nullok" option to the pam_unix auth module in their 
respective PAM service definitions, /etc/pam.d/sshd and /etc/pam.d/kde like 
so:

auth     required   pam_unix.so     no_warn try_first_pass nullok

> Does Linux come with kdm-np PAM entry? 

Most distributions ship a kde-np PAM service definition, some disable it by 
default, others don't. If a src committer is reading this and wants to add a 
kde-np PAM service definition to FreeBSD, I'm not objecting. :)

> >>>> 	   Even if the user clicks "Forever", they still get prompted
> >>>> 	   next time kmail is started.
> >>>
> >>> Sounds like kded isn't running - if you have the klaptopdaemon port
> >>> installed,
> >>
> >> Mmm, this is not a laptop. I don't know, what kded nor klaptopdaemon
> >> are... Again, this is a new install of KDE from ports.
> >
> > Actually, I'm not so sure anymore if this is kded/kwallet issue, but
> > anyway: I *think* that certificate acceptance settings are stored in a
> > user's kwallet (along with account passwords), so make sure you have
> > kwallet set up.
>
> This user's account does not have wallet configured, that's true. KMail
> even issues due warnings about storing e-mail account password outside
> of wallet. However, in case of the certificate there is no
> warning/question about wallet... It simply asks "Forever" or "For now"
> and even if you pick "Forever", it will ask again, the next time it
> needs to (re)establish to connection.

Please try if it goes away with kwallet configured and running anyway. 
Walletless operation has become increasingly difficult (and downright buggy) 
in KDE, I suspect this might be another case of this feature-creep.


Cheers,
-- 
   ,_,   | Michael Nottebrock               | lofi at freebsd.org
 (/^ ^\) | FreeBSD - The Power to Serve     | http://www.freebsd.org
   \u/   | K Desktop Environment on FreeBSD | http://freebsd.kde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part.
Url : http://mail.kde.org/pipermail/kde-freebsd/attachments/20070711/21833721/attachment-0003.pgp

More information about the kde-freebsd mailing list