Users without a password?
Smoot Carl-Mitchell
smoot at tic.com
Sat Nov 24 13:20:49 UTC 2007
On Sat, 2007-11-24 at 01:06 -0500, Caleb Marcus wrote:
> What sort of security risks are you talking about? I'm just creating
> an unprivileged guest account that can't really do anything on the
> system... are there any risks beyond the possibility of someone being
> able to get into that account without a password?
That is the main risk. Most of the really bad GNU/Linux exploits
require local login access to the machine. A user with a login on the
box has a much simpler time cracking security. Of course it all depends
on what you are protecting and if remote access is allowed to this
machine. If remote access is not allowed and you have an adequate
firewall, passwordless accounts might be a reasonable risk. Be mindful
that the risk also includes some malicious user turning the box into an
email relay to distribute spam.
If the passwordless access is meant to be physically from the console
you might consider keeping a password on the guest account and taping a
note to the monitor which says something like "To login as a guest use
this password". You can then periodically change the guest account
password or turn the account off when it is not needed to reduce the
security risks.
--
Smoot Carl-Mitchell
System/Network Architect
email: smoot at tic.com
cell: +1 602 421 9005
home: +1 480 922 7313
More information about the ubuntu-users
mailing list