Re: xdm passwordless logins

[nia <nia%NetBSD.org@localhost>]

On Thu, Oct 29, 2020 at 08:57:05AM -0400, Greg Troxel wrote:
> 
> Tobias Nygren <tnn%NetBSD.org@localhost> writes:
> 
> > On Thu, 29 Oct 2020 08:10:23 +0000
> > nia <nia%NetBSD.org@localhost> wrote:
> >
> >> hi,
> >> 
> >> xdm is configured by default to disallow logins from accounts
> >> without a password set. this is different to how ttys work,
> >> and means if you have root with no password set you can't
> >> login to the system
> >> 
> >> is this intentional?
> >
> > I think it is intentional, by historical convention.
> > If xdm is configured to respond to network queries via XDMCDP, as was
> > common in the old age, it opens up possibility of remote logins without
> > a password. It is different from for example sshd remote logins where
> > there is a "PermitEmptyPasswords no" default.
> 
> I concur with this version of history
> 
> Back in the old days (early 90s?)there were "X terminals" that spoke X
> and looked via xdmcp, sort of like plugging a terminal in via ethernet
> instead of serial, but X instead of text.
> 
> But I think ~nobody does remote xdm or uses X terminals any more, and if
> xdm had a config PermitEmtpyPasswords that defaulted to yes if connected
> to 127.0.0.1/::1/unix-socket, and no if otherwise, that would be fine.
> 

I think there's no fine-grained option for this, only the following
Xresource:

       xlogin.Login.allowNullPasswd
              If set to ``true'', allow an otherwise failing password match to
              succeed if the account does not require a password at all.  The
              default is ``false'', so only users that have passwords assigned
              can log in.


I just noticed this after starting xdm on a freshly flashed evbarm.