> > Hi,
> > This has been bugging me ever since I installed Red Hat 4.0.
> > My system is used by me alone, so I do not need to have password
> > security for my login's or su's. With RH 3.0.3, I simply editted out
> > the password fields from /etc/passwd, and it worked fine. The 'login'
> > program asked for a username, I simply typed that in and hit Return.
> > 'login' did not ask for a password, and simply accepted the login.
> > Similarly, the 'su' program would also not bother to ask.
> I see that your message was posted from within
> linux. I don't know about you but I don't want
> just anybody logging onto my machine while I'm
> connected to my isp. And if you have no password
> on any of your machine accounts, anybody who sniffs
> out your ip number can easily login, do anything they
> want, maybe even grab the password to your isp
As I acknowledged in my reply to the email copy of this, I appreciate
your concern very much. However, the likelihood of someone being able
to do this is extremely minor, considering that I have a dynamic IP
address, which changes every time I call up.
If someone were to break into my system, there is really nothing here
that I would mind losing. In fact, they could just ask for it, and I
would probably just give it to them!
The most damage they could do here would be to cause me to reinstall
Linux and restore from my recent backup. So what?
Even if someone were to break into my ISP account, what are they going
to do? Change my account password? I would find out very quickly, and
fix it. Steal some hours on my account? Well, it happens that my home
page is the "account stats" page at my ISP! I would notice, and quickly
change my password at the ISP.
OK, I am not a newcomer to UNIX/Linux. (How many of you were using UNIX
Version 7 in 1981? Actually, that is not a rhetorical question -- I'm
curious!) I understand the value of having good security where it is a
benefit. The thing is, having security where it is not useful simply
makes the computer harder to use. That is not a benefit, just a "pain".
What really bugs me about my current problem is that I am asked for a
password when there *isn't* one, and I am very sure I don't *want* one!
It is really stupid! I can type *anything* at the password prompt, and
it will be accepted.
Now, if you think about it, this is actually EXTREMELY POOR SECURITY!
What if someone breaks into a system with multiple users and a *need*
for security, and simply edits out the root password. The superuser is
probably in the habit of quickly and *correctly* typing in the root
password, and will not even notice that there's something wrong!!!
Great, now in my effort to run a security-free Linux system, I've
discovered a (minor) security hole in Linux. Should I report this?
Well, I just did ... consider this the report.
Hopefully, they will *not* fix this by ABSOLUTELY REQUIRING passwords in
all cases! Please! ;-)
The way it worked in Interactive 386/ix was there was a config file for
the 'login' program, where I could simply set
That was very nice!
- Jay Ts