>> The original use case was to provide an account to my daughter who
>> was not (yet) able to remember a strong password. She wasn't going
>> to use a console login either.
> So a corner - and hopefully transitory ;-) - case.
Originally, yes, but I learned in the mean time to appreciate the
possibility of offering an account with a simple/trivial password on
my machine. It comes in handy more often than "once per offspring".
> Set your system to use key-pairs.
I don't understand what that means (or how that helps).
Do you mean I should disallow password access via SSH altogether?
That doesn't solve the issue of "only allow password access via GDM",
in the sense that there are still other ways in beside GDM and SSH.
I mean, yes, I can (and have) cobbled up some hackish way to plug the
holes I was aware of, but I think it would be better to be able to
specifically only allow weak password authentication for some specific
services and then stop worrying about which other services might still
use those weak password (su? telnetd? which other ones? how could
I find out?)
Stefan
