[Feature Request]: Add password-less users (without administrative privileges)

[ghost]

Fedora's Anaconda installer has the option to set-up a password-less user during the installation, it will be great to have this option on Solus' installer for setting up home/guest users (but without the horrible error of making the administrative privileges for those users an optional thing as Anaconda does).

BTW, I tried to use the good old passwd -d command to remove a pre-setted passwd for an home user but LightDM didn't catched it (as in Arch or Ubuntu).

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/33498354-feature-request-add-password-less-users-without-administrative-privileges?utm_campaign=plugin&utm_content=tracker%2F2994527&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F2994527&utm_medium=issues&utm_source=github).

[ikeydoherty]

So you mean where you need to set the password on login, i.e. for family accounts?

[ghost]

Yes! :smile:

For example, creating users...

• for me (with password and administrative privileges),
• for my brother (with password but without administrative privileges -the installer can do this-),
• and for my mom (without password and, thus, administrative privileges -this is what I want to do-).

[ikeydoherty]

Sounds good to me :)

[ghost]

A little point to take care, if you will update LightDM, the patch for PAM files present in Solus' GIT will not work (as pam_unix.so seems to be depreciated).

Solus Installer will need to add the password-less user to a new group (called 'nopasswdlogin') and the PAM file patched to make LightDM admit password-less users, as I posted in the bugtracker.

[ghost]

Some months ago I investigated this (and forgotten this issue completly :grin:), so, just to expand this thing I found that:

• Red Hat and Debian are placing the nullok option to the pam_unix.so module in their PAM configuration files to make passwordless usage possible (like LightDM not forcing me to introduce my non-existent password in a password box). This is what I was doing with Solus all this time and works.

• The Red Hat installer, Anaconda, just adds a empty string to the /etc/shadow file (kinda obvious), so unmarking the "this user needs a password" option only does that. I think this can be implemented in the installer without problems.

But given this, I found two problems (and some possible solutions for them):

1. Putting the nullok option in the PAM configuration is a very high security risk that installations without passwordless accounts shouldn't have.

   I thought if it's possible to make the installer itself create a PAM file containing the pam_unix.so call using the nullok option only when it's necessary (when any passwordless account is created), and rebuild the packages which have PAM files to redirect all the pam_unix.so calls to that file. Doing this shouldn't be a problem in the current Solus systems since is rare to find a installation with passwordless accounts (which wasn't forced, like mine), so providing the new file without nullok as an update before adding the file creation stuff to the installer should be ok.

2. What happens when we have only one passwordless account? As in example, if we want to install Solus...

• ...with 2 users with password: No problems here.

• ...with 1 admin with password and one user without password (my case :wink:): No problems here too, there is an admin account so some programs that requires administrative privileges can fallback to request the admin password (thanks to Polkit).

• ...one (or more) passwordless user: It's an option since some users would want to use their Solus installation in a family PC but one account should have administrative privileges otherwise the system gets unusable (no way to run the package manager or do other admin tasks), so I thinks about some "failsafes" we can provide if the user wants to do this:

  • Force the user to create an admin account with password (users would complain).
  • Lets the account(s) have administrative privileges (insecure).
  • Enable the root account, making another installer page for the root password (the most viable option, but not the "Solus-est" giving the fact that Solus has the root account disabled by default).

[ikeydoherty]

We're able to handle passwordless accounts (we do this for the live ISO). The problem here, from my perspective, is having a prompt to change the user password on login. I'm wondering if we can simply passwd -d it (as an empty pass is actually hashed) - and have PAM/lightdm handle this during login itself. I suspect its doable.

In that case we could have a simple tickbox "Set password later". We already mandate one admin account, as long as we force password set on first login I think we're covered, tbh.

[ghost]

I not longer require users without password, so as looks like I'm the only hooman who wanted this to happen I'll close this (if I can find the DAMN fourth chaos emeraldclose button).

EDIT: Forgot the @ghost, can you close this please? :P

[Mazino-Urek]

@ikeydoherty Still that feature is needed. I have installed Solus on my dad's PC. Solus requires a 5 letter password and he is bugging me to remove it. P.S That PC used to run windows. Other than that everything is pretty nice. Using Solus-Mate. I have the administrator account which has root access.

[astrolemonade]

I want this feature too, I am living alone and by no means anybody can access my laptop. I am just tired of typing the password all the time