Allow certain users or seats to skip the greeter entirely and log in
automatically, or log in without entering a password.
Two distinct sub-features
Autologin: A designated user is logged in immediately when a seat
becomes available — the greeter never appears. Useful for kiosk setups
or a primary personal machine.
Passwordless login: A user must select themselves in the greeter
but is not prompted for a password. Currently implemented as a
compile-time CONFIG_PASSWORDLESS_USERS bypass that skips PAM
entirely; the proper implementation routes through PAM (see below).
Configuration
Both should be per-seat and runtime-configurable (config file, once
#24 is implemented) rather than compile-time #defines.
Route passwordless login through PAM properly (formerly #23)
The existing CONFIG_PASSWORDLESS_USERS shortcut bypasses PAM
entirely: no loginuid is set, no resource limits applied, no keyring
created. The proper behaviour keeps the user in a nopasswdlogin
group and lets PAM mark auth as passed for them, so a full session is
still opened.
Target behaviour
- The user is a member of the
nopasswdlogin group (standard Debian
mechanism).
- The greeter still sends empty credentials for that user (UX TBD —
either show an empty password field or skip it and submit
immediately).
- The daemon always calls PAM with the supplied (empty) password.
- The PAM stack grants access because
pam_succeed_if.so user ingroup nopasswdlogin succeeds before
pam_unix checks the password.
- A full PAM session is opened normally.
PAM config change required
Add before @include common-auth in data/pam.d/atrium.debian:
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
sufficient means: if the user is in the group, mark auth as passed
and skip the rest of the auth stack (including pam_unix password
check).
Code changes required
src/config.h — remove CONFIG_PASSWORDLESS_USERSsrc/main.c — remove passwordless bypass in
on_greeter_credentials()src/auth.c — remove NULL-pamh guards that were only needed because
pamh was never set for passwordless users; auth_open_session() and
auth_close() become unconditionalgreeter/ui-gtk4.c — remove is_passwordless() helper and the
branch that skips the password screen; decide on UX (skip screen vs.
empty field)
Locations
src/config.h:28src/main.c:288src/auth.c:177, src/auth.c:206greeter/ui-gtk4.c:34, greeter/ui-gtk4.c:298
Related
Allow certain users or seats to skip the greeter entirely and log in
automatically, or log in without entering a password.
Two distinct sub-features
Autologin: A designated user is logged in immediately when a seat
becomes available — the greeter never appears. Useful for kiosk setups
or a primary personal machine.
Passwordless login: A user must select themselves in the greeter
but is not prompted for a password. Currently implemented as a
compile-time
CONFIG_PASSWORDLESS_USERSbypass that skips PAMentirely; the proper implementation routes through PAM (see below).
Configuration
Both should be per-seat and runtime-configurable (config file, once
#24 is implemented) rather than compile-time
#defines.Route passwordless login through PAM properly (formerly #23)
The existing
CONFIG_PASSWORDLESS_USERSshortcut bypasses PAMentirely: no loginuid is set, no resource limits applied, no keyring
created. The proper behaviour keeps the user in a
nopasswdlogingroup and lets PAM mark auth as passed for them, so a full session is
still opened.
Target behaviour
nopasswdlogingroup (standard Debianmechanism).
either show an empty password field or skip it and submit
immediately).
pam_succeed_if.so user ingroup nopasswdloginsucceeds beforepam_unixchecks the password.PAM config change required
Add before
@include common-authindata/pam.d/atrium.debian:sufficientmeans: if the user is in the group, mark auth as passedand skip the rest of the auth stack (including
pam_unixpasswordcheck).
Code changes required
src/config.h— removeCONFIG_PASSWORDLESS_USERSsrc/main.c— remove passwordless bypass inon_greeter_credentials()src/auth.c— remove NULL-pamh guards that were only needed becausepamh was never set for passwordless users;
auth_open_session()andauth_close()become unconditionalgreeter/ui-gtk4.c— removeis_passwordless()helper and thebranch that skips the password screen; decide on UX (skip screen vs.
empty field)
Locations
src/config.h:28src/main.c:288src/auth.c:177,src/auth.c:206greeter/ui-gtk4.c:34,greeter/ui-gtk4.c:298Related