On 15/03/07, Soren Hansen <[EMAIL PROTECTED]> wrote: > On Thu, Mar 15, 2007 at 10:23:32AM +0900, Arwyn Hainsworth wrote: > > >I've always thought that the option of just giving any user access > > >without authentication is broken and should be removed. Something > > >like what happened to this user was bound to happen sooner or later > > >and I can't think up a use case that justifies its presence. Can any > > >of you? > > I had a friend once who kept his home PC on so that he could log in > > via remote desktop from work. IMHO that's a perfectly normal use case, > > so it should be possible to log in without local user intervention and > > removing that ability would be a mistake. > > An he can't remember a simple password?
I think you are misunderstanding my point or I was misunderstanding yours. Some form of authentication should be required. It can be either password authentication, public/private key authentication, direct user intervention or a mixture of 2 or 3 of the above. Providing at least one method of authentication is active I see no problem, however I do agree that allowing remote connection without any form of authentication is a security flaw and should not be possible. After checking Preferences->Remote_Desktop it does indeed seem to be possible to disable all forms of authentication. Not good. Arwyn -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
