autologin at bootup securely
I'm trying to arrange for a user to automatically login at boot. I can't guarantee gnome or KDE will be installed or this would be easy. I goggled this and discovered the standard solution is modify innittab to run agetty -n -l /usr/sbin/autologin which would be a c program which looks like this
int main(){
execlp( "login", "login", "-f", "IIU", 0);
}
and finally modify /etc/login.def to add the NOPASSWORD argument to the ttl that is automatically logging in.
I've done this and it seems to work, but I have to questions related to it.
1) when I do this gnome still brings up a login manager for me to log in at bootup. it seems that the user I wanted logged in is still logged in and running but gnome covers this with it's own login prompt and requires a re-login. I actually don't mind that but it's not what I had expected, I expected to not have to log in once the autologin script was run. Is this due to gnome or would I see similar behavior without gnome installed?
2) I want to do this securely. Currently there are only two users on this machine, the one I want automatically logged in and have given limited security rights and root. In the future though more users may be added with elevated permissions. as I understand it using the NOPASSWD command in /etc/login.def would make any non root user able to login without a password, even if that user had elevated permissions. Is there a way to either modify the login.def file to only allow a specific user to login without a password, or to modify the autologin program run by agetty to include a password so I don't have to modify login.defs?
Actually I played with the login command and it has me confused. If I use login -f 'user name' it will prompt me for a password by always complains the password I provide is incorrect. I know the password I'm using is correct and can su without problems.
and before you ask I know there are other methods of getting what I desire (programs to run after reboot without needing a manual login), but my client requested this method so this is the method I’m going to use unless there a significant reason not to.
|