"auth required" case
/etc/pam.d/common-auth:
auth required pam_usb.so
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
Tom: knows his password and has the USB device
John: knows Tom's password somehow but does not have the USB device
Expected:
To login as Tom, an user must know Tom's password and have the USB device both.
Actual:
== Tom logged out with the USB device plugged ==
[+0.00s] DEBUG: Logging to /var/log/lightdm/lightdm.log
[+0.00s] DEBUG: Starting Light Display Manager 1.2.3, UID=0 PID=12837
<snip>
[+0.65s] DEBUG: Activating VT 7
[+1.48s] DEBUG: Greeter start authentication for tom
[+1.48s] DEBUG: Started session 12960 with service 'lightdm', username 'tom'
[+1.65s] DEBUG: Session 12960 got 1 message(s) from PAM
[+1.65s] DEBUG: Prompt greeter with 1 message(s)
== Tom left from the PC with the unplugged USB device ==
== After a few minutes, John came at the PC then input Tom's password ==
[+22.02s] DEBUG: Continue authentication
[+22.06s] DEBUG: Session 12960 authentication complete with return value 0:
Success
[+22.06s] DEBUG: Authenticate result for user tom: Success
[+22.08s] DEBUG: User tom authorized
[+22.10s] DEBUG: Greeter requests session ubuntu
[+22.10s] DEBUG: Using session ubuntu
[+22.10s] DEBUG: Stopping greeter
<snip>
[+22.44s] DEBUG: Starting session ubuntu as user tom
== John can login as Tom without any USB device, just input password ==
That is undesired behavior. lightdm does not timeout authentication or
check authenticate result for USB device again at real login.
Putting pam_usb.so after pam_unix.so can prevent the situation though.
** Changed in: lightdm (Ubuntu)
Status: Incomplete => New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1159457
Title:
lightdm allows login with unplugged device needed for authentication
Status in “lightdm” package in Ubuntu:
Confirmed
Bug description:
Even if I unplugged device needed for authentication, lightdm still
allows login without the device.
How to reproduce:
1. setup pam_usb.so or pam_blue.so with "auth sufficient" on
/etc/pam.d/common-auth
pam_usb.so:
https://github.com/aluzzardi/pam_usb/wiki/Getting-Started
pam_blue.so:
http://tjworld.net/wiki/Linux/Ubuntu/BluetoothLoginAndLocking
2. login to the user with the device
3. logout
4. unplug the USB device or turning off the bluetooth device
5. press Enter to login
Expected result:
login rejected or fallback to password login
Actual result:
login allowed, without the device or password
WORKAROUND:
make sure to press Esc on lightdm *after* unplugging the device
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: lightdm 1.2.3-0ubuntu1
ProcVersionSignature: Ubuntu 3.5.0-26.42~precise1-generic 3.5.7.6
Uname: Linux 3.5.0-26-generic x86_64
ApportVersion: 2.0.1-0ubuntu17.1
Architecture: amd64
CheckboxSubmission: 65fa7c094c0293dd4e9a81057a36a8fe
CheckboxSystem: 0657dd966bc74d2b22e7c94051aa55af
Date: Mon Mar 25 01:06:44 2013
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 12.04.2 LTS "Precise Pangolin" - Release amd64
(20130213)
MarkForUpload: True
ProcEnviron:
TERM=xterm
SHELL=/bin/bash
PATH=(custom, no user)
LANG=ja_JP.UTF-8
SourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1159457/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
