"Guest" account should be accessible from login screen

I agree. In high-school I work for we have user accounts shared between computers using NFS/NIS. All students and most of the teachers have individual accounts. Unfortunately there are also people without accounts occasionally using the computers, so a guest account is a must. Right now it's just a normal account named "guest", but since it's not temporary it collects tons of useless files and configuration, and since it's still shared over network two people are able to log in at the same time, and potentially corrupt programs configuration.

I thought Ubuntu 8.10 will solve all those problems, so I'm very disappointed to hear you won't be able to use this account from the login screen.

I would also really like to see this feature. With it, I could have a computer sitting in a common area that anyone could come up to and use as a guest. Right now, I'd have to leave that computer sitting with a more-privileged user logged in, or be present for each person so I can log in and switch to the guest account.

Please provide at least an option to enable guest login from GDM.

Hi,

The guest session works by launching the flexiserver. I believe this can only
be launched by a logged in user, and that seems to be a design decision,
from the README.Debian:

"Just call /usr/share/gdm/guest-session/guest-session-launch to start the
session; this only works if you already have a gdm session, though, to
avoid using a machine without authorization and no password."

so it is security concerns that add this restriction.

There would be two issues here, firstly the security issue of giving anyone
access to the machine. Having an option to allow the guest session to
be started directly from GDM would seem to be ok here, as the admin would
have to enable it. If they do then it would presumably be for one of the
shared machine situations described above, and so it would be what the admin
wanted.

The second issue is the technical one of whether the current guest session
architecture allows the guest session to be launched without a logged in
user. This I know less about. I believe it may be easier with the new GDM
though, which will possibly be in 9.04.

I don't think that this will be likely to be considered for Intrepid, but I still think
it is a legitimate wish, and so I have confirmed the bug and marked it wishlist.
Whether the bug should be fixed for Intrepid will be reviewed by someone more
appropriate than myself.

Thanks,

James

We explicitly designed this to *not* be accessible anonymously.

If you want a "kiosk" mode, create a spare guest user yourself and configure the login manager to automatically log it in after 30 seconds or so.

With guest session:

A: Can I Borrow your computer?
B: Yes, but only when I'm at home, because I have to log in first

With guest account:

A: Can I Borrow your computer?
B: Yes, but you will have to wait 30 seconds after it has started up, and remember to move the mouse regularly so the screen saver doesn't get activated. (The screen saver or any other program that prompts for a password wont accept the empty string)

Why just not an option to enable the a guest session from the login window?

I agree that an easy and accessible Guest account as an option for the login menu is necessary.
It's a good thing to share your laptop and I even like to use the guest account when I'm just doing non administrator and non personal stuff.

You have my vote on this one :-)

I just wanted to also chirp in to agree with the need for this. Nobody seems to be asking for a "kiosk" mode so I don't see that as a reasonable answer. A guest account should be easy and convenient and having to walk over to the home PC and login every time a friend wants to use the PC is definitely not easy nor convenient. The guest session is a perfect solution, if only it could be launched from GDM without first logging in, because it would let someone login, complete whatever task they need (without root access to provide safety) and clean the slate once logged out so as not to accumulate junk.

Hi!
I did this for have a "guest" false session with GDM Login:

1.- Create a count without privileges (example Guest). Then password = guest :P Any easy.

2.- Configure this count (Guest).

3.- Add all files (included hidden) to a .tar file and save it (example /etc/init.d/guest.tar)

4.- Create this file /etc/init.d/guest.sh
With this context:
[CODE]#!/bin/sh
rm -rf /home/guest
mkdir /home/guest
chown guest:guest /home/guest
tar -C /home/guest -xvf /etc/init.d/guest.tar[/CODE]

5.- In terminal:
[CODE]sudo chmod +x /etc/init.d/guest.sh
sudo update-rc.d guest.sh defaults[/CODE]

With this 5 steps, all configuration user is restart to "default" (in .tar file), in each retart :)
Cheers!

I've tried an approach like this using the pam_listfile.so for passwordless login. However, it fails for several reasons:

- There is no obvious way to log in as guest. Users that don't speak English won't be able to guess that the special user name (and password). I'd like a simple "Login as Guest" button.

- The passwordless login used by gdm seems to be ignored by gnome-screensaver. If the screensaver kicks in or is started by the user, there is no way to unlock it.

- The users files are deleted on logout. Thats nice from a security and privacy point of view, but the user is not warned that her files will be lost. There has been some discussion about the option to turn a guest session into a regular account. But as far as I know, nothing like that has been implemented.

A solution simular to marocos would be fine for my needs - may be with some little modifications - if it is full usable by installing a single package.

Proposed changes:
- Reset the home directory at logoff

In reply to Martin Pitt's comment #5.

Could it be possible to separate the policy (no anonymous access) from the mechanism (well-implemented guest accounts)? A configurable option, disabled by default, would be a nice compromise.

The need for this feature is real. The scenario in comment #6 happens in my office at least once a month. Anonymous access is not a problem here: to use the guest account somebody must have got access to my office where my desktop computer physically resides. They could easily plug into the network sockets or remove the hard disk.

It is not a security-minded thing to suggest users to develop and deploy their own solutions based on forum posts.

If another person is allowed in the room and I (the admin) have enabled a guest account, then what security liability is there?
I am allowing this person to use my computer with the restricted privileges that come along with a guest account.

Maybe create a desktop user account and lock the account with Gofris: http://www.ubuntugeek.com/gofris-locking-the-systems-got-even-easier.html
Could be a good solution :)

From the website: «Note:- This application is still in development so this might break your system».

There is no need to look for other apps, we have a perfectly valid solution right now, well developed and tested for a long time: gdm-guest-session.

I still do not see why it is acceptable to have root-like password-less accounts (easily configurable in the gdm setting panel) but having password-less admin-accepted gdm-controlled guest accounts.

I believe this is fixed in oneiric.

On 2011-12-24 14:43, Joe Mou wrote:
> I believe this is fixed in oneiric.

Yes. The functionality of gdm-guest-session is included in lightdm, which is the default login manager in Oneiric.