It’s less safe because even if that user-session is not launched, the passwords are stored in plain text.
Totally agree with everything else.
Then why treating differently auto-login and manual-login ? What is the safety benefit ? Ok it means a random user not in the know won’t be able to :
⋅ use a web browser with stored passwords,
⋅ use the file explorer to access network shares, smb, ftp, and so on.
Guess what ? It’s more pain than gain. If a PC is set in autologin, it’s probably intended to ease those access without asking many people to know each and every passwords. Because once known by too many, those passwords become useless…
How comes ? Isn’t the user’s password used to log in ? Then why doesn’t it unlock the keyring ? As you mentioned, once a session is open and running, anyone in front of it has access to anything. But at least when that session goes off, secrets stored are no longer easily readable.
A safer session would always ask for passwords and store none of them. That’s not what autologin does, since once you have unlocked the keyring it stays open until end of session. As a normal manually logged in session.
I can’t see consistency here.
The logon screen takes the password you typed and passes it gnome-keyring to unlock.
Since you haven’t entered a password on autologin, there isnt anything to pass to gnome keyring . Remember passwords are not stored by the login window so it has no knowledge of your password on an autologin scenario.
Sorry, gents, maybe I’ve misunderstood something: manual login doesn’t work if user isn’t in /etc/passwd (if user doesn’t exist); afaik manual login is used by those who want to get UI access as root (after having changed root pw and set PermitRootLogin yes in /etc/ssh/sshd) … or not?
Sil
PS my system asks me password for keyring unlocking only when I’m xrdp-ing