Hello! A week back I asked how I could set up a guest user account on my laptop with a home directory that wipes on reboot. While I succeeded with that, there’s still one part that I’m not quite happy with; guest users currently need to log in with a password.
Ideally, friends would be able to simply select the “Guest” user in the login screen, and with that enter the session. I have looked in the docs but haven’t figured out how to do it. Setting users.users.guest.password = null; did not work. What must I do to achieve my desired result, and are there any security risks that could arise from doing this?
I am using home-manager, and have GNOME as my desktop environment if that helps with anything!
I think the only way to do this is by defining a PAM rule. The relevant service is gdm-password, so something like this should work (warning, untested, might botch your PAM config which is a thing that can lock you out of your system—be prepared to boot from NixOS install media just in case this goes horribly):
Apologies for the late reply, but I have now tried this out!
While it luckily didn’t lock me out of my system, neither did it do anything from what I’m able to see. Could it be that I somehow have to remove the current password before it starts working, or do we just have to try a completely different approach?
Thanks! Now it works! Worth mentioning that I first had to do sudo passwd guest -d, as I realized that I had previously set the guest password to something while experimenting with other things…
However, quick follow up question, in your VM, did you just do that, or did you also add the above config by @rhendric? (Just want to know what the minimum needed config is, if that makes sense)
I did this as well, and after doing it, the guest user immediately logs in, but then when they try to open a chrome browser or vscodium or something, it asks to create their own login keyring with a password, witch kinda defeats the purpose if they set a password / is annoying if they don’t set a password / confusing for a guest that isn’t familiar with linux.
Have you been affected by this problem as well? Because of this I still have a guest user with the password guest for now, because having a password unlocks the keyring automatically, at least in lightdm and gnome.
I would probably configure the guest user to disable the keyring entirely. I know you can do that for kwallet, and I assume you can do the same for the gnome equivalent. That should stop the popups, and chrome and friends should fall back to a less secure cookie encryption scheme that doesn’t require an external secret.
Just tried it, and I do indeed have the same problem. I couldn’t recall having this issue 4 months ago when I first experimented with this, so I rolled back to GNOME 48 just to see if maybe this issue was introduced in the recent jump to GNOME 49. My memory was correct, and it did in fact work without problem on GNOME 48.
A good way to go about this would be to read through the changes of GNOME 49 and isolate the exact change that makes this happen. Doing so would make it much easier to figure out what change we have to make to avoid this!
I would do this myself, but don’t currently have the time for it. Unless somebody else figures it out, I’ll probably give it a try in a few weeks. Also, if you do get it to work by simply disabling keyring, please update us!
. I’ll report back if I manage something tho