[Desktop-packages] [Bug 1159457] Re: lightdm allows login with unplugged device needed for authentication
auth sufficient means that device isn't required for authentication. Have you tried auth required? ** Changed in: lightdm (Ubuntu) Status: New = Incomplete -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1159457 Title: lightdm allows login with unplugged device needed for authentication Status in “lightdm” package in Ubuntu: Incomplete Bug description: Even if I unplugged device needed for authentication, lightdm still allows login without the device. How to reproduce: 1. setup pam_usb.so or pam_blue.so with auth sufficient on /etc/pam.d/common-auth pam_usb.so: https://github.com/aluzzardi/pam_usb/wiki/Getting-Started pam_blue.so: http://tjworld.net/wiki/Linux/Ubuntu/BluetoothLoginAndLocking 2. login to the user with the device 3. logout 4. unplug the USB device or turning off the bluetooth device 5. press Enter to login Expected result: login rejected or fallback to password login Actual result: login allowed, without the device or password WORKAROUND: make sure to press Esc on lightdm *after* unplugging the device ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: lightdm 1.2.3-0ubuntu1 ProcVersionSignature: Ubuntu 3.5.0-26.42~precise1-generic 3.5.7.6 Uname: Linux 3.5.0-26-generic x86_64 ApportVersion: 2.0.1-0ubuntu17.1 Architecture: amd64 CheckboxSubmission: 65fa7c094c0293dd4e9a81057a36a8fe CheckboxSystem: 0657dd966bc74d2b22e7c94051aa55af Date: Mon Mar 25 01:06:44 2013 EcryptfsInUse: Yes InstallationMedia: Ubuntu 12.04.2 LTS Precise Pangolin - Release amd64 (20130213) MarkForUpload: True ProcEnviron: TERM=xterm SHELL=/bin/bash PATH=(custom, no user) LANG=ja_JP.UTF-8 SourcePackage: lightdm UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1159457/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1159457] Re: lightdm allows login with unplugged device needed for authentication
Hi Marc, in the situation described in comment #2, I can login with *un*plugged device and *no* password like auto-login. I will try auth required anyway. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1159457 Title: lightdm allows login with unplugged device needed for authentication Status in “lightdm” package in Ubuntu: Incomplete Bug description: Even if I unplugged device needed for authentication, lightdm still allows login without the device. How to reproduce: 1. setup pam_usb.so or pam_blue.so with auth sufficient on /etc/pam.d/common-auth pam_usb.so: https://github.com/aluzzardi/pam_usb/wiki/Getting-Started pam_blue.so: http://tjworld.net/wiki/Linux/Ubuntu/BluetoothLoginAndLocking 2. login to the user with the device 3. logout 4. unplug the USB device or turning off the bluetooth device 5. press Enter to login Expected result: login rejected or fallback to password login Actual result: login allowed, without the device or password WORKAROUND: make sure to press Esc on lightdm *after* unplugging the device ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: lightdm 1.2.3-0ubuntu1 ProcVersionSignature: Ubuntu 3.5.0-26.42~precise1-generic 3.5.7.6 Uname: Linux 3.5.0-26-generic x86_64 ApportVersion: 2.0.1-0ubuntu17.1 Architecture: amd64 CheckboxSubmission: 65fa7c094c0293dd4e9a81057a36a8fe CheckboxSystem: 0657dd966bc74d2b22e7c94051aa55af Date: Mon Mar 25 01:06:44 2013 EcryptfsInUse: Yes InstallationMedia: Ubuntu 12.04.2 LTS Precise Pangolin - Release amd64 (20130213) MarkForUpload: True ProcEnviron: TERM=xterm SHELL=/bin/bash PATH=(custom, no user) LANG=ja_JP.UTF-8 SourcePackage: lightdm UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1159457/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1159457] Re: lightdm allows login with unplugged device needed for authentication
auth sufficient case /etc/pam.d/common-auth: authsufficient pam_usb.so auth[success=1 default=ignore] pam_unix.so nullok_secure try_first_pass authrequisite pam_deny.so authrequiredpam_permit.so authoptionalpam_ecryptfs.so unwrap authoptionalpam_cap.so Tom: knows his password and has the USB device John: does not know Tom's password or have the USB device Expected: To login as Tom, an user must know Tom's password or have the USB device either. Actual: == Tom logged out with the USB device plugged == [+0.00s] DEBUG: Logging to /var/log/lightdm/lightdm.log [+0.00s] DEBUG: Starting Light Display Manager 1.2.3, UID=0 PID=7727 snip [+0.85s] DEBUG: Activating VT 7 [+1.64s] DEBUG: Greeter start authentication for tom [+1.64s] DEBUG: Started session 7854 with service 'lightdm', username 'tom' [+1.87s] DEBUG: Session 7854 authentication complete with return value 0: Success [+1.87s] DEBUG: Authenticate result for user tom: Success [+1.91s] DEBUG: User tom authorized == Tom left from the PC with the unplugged USB device == == After a few minutes, John came at the PC then press Enter == [+107.87s] DEBUG: Greeter requests session ubuntu [+107.87s] DEBUG: Using session ubuntu [+107.87s] DEBUG: Stopping greeter snip [+108.54s] DEBUG: Starting session ubuntu as user tom == John can login as Tom without typing any password or having any USB device == That is undesired behavior. lightdm does not timeout authentication or check authenticate result again at real login. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1159457 Title: lightdm allows login with unplugged device needed for authentication Status in “lightdm” package in Ubuntu: Incomplete Bug description: Even if I unplugged device needed for authentication, lightdm still allows login without the device. How to reproduce: 1. setup pam_usb.so or pam_blue.so with auth sufficient on /etc/pam.d/common-auth pam_usb.so: https://github.com/aluzzardi/pam_usb/wiki/Getting-Started pam_blue.so: http://tjworld.net/wiki/Linux/Ubuntu/BluetoothLoginAndLocking 2. login to the user with the device 3. logout 4. unplug the USB device or turning off the bluetooth device 5. press Enter to login Expected result: login rejected or fallback to password login Actual result: login allowed, without the device or password WORKAROUND: make sure to press Esc on lightdm *after* unplugging the device ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: lightdm 1.2.3-0ubuntu1 ProcVersionSignature: Ubuntu 3.5.0-26.42~precise1-generic 3.5.7.6 Uname: Linux 3.5.0-26-generic x86_64 ApportVersion: 2.0.1-0ubuntu17.1 Architecture: amd64 CheckboxSubmission: 65fa7c094c0293dd4e9a81057a36a8fe CheckboxSystem: 0657dd966bc74d2b22e7c94051aa55af Date: Mon Mar 25 01:06:44 2013 EcryptfsInUse: Yes InstallationMedia: Ubuntu 12.04.2 LTS Precise Pangolin - Release amd64 (20130213) MarkForUpload: True ProcEnviron: TERM=xterm SHELL=/bin/bash PATH=(custom, no user) LANG=ja_JP.UTF-8 SourcePackage: lightdm UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1159457/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1159457] Re: lightdm allows login with unplugged device needed for authentication
auth required case /etc/pam.d/common-auth: auth required pam_usb.so auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so Tom: knows his password and has the USB device John: knows Tom's password somehow but does not have the USB device Expected: To login as Tom, an user must know Tom's password and have the USB device both. Actual: == Tom logged out with the USB device plugged == [+0.00s] DEBUG: Logging to /var/log/lightdm/lightdm.log [+0.00s] DEBUG: Starting Light Display Manager 1.2.3, UID=0 PID=12837 snip [+0.65s] DEBUG: Activating VT 7 [+1.48s] DEBUG: Greeter start authentication for tom [+1.48s] DEBUG: Started session 12960 with service 'lightdm', username 'tom' [+1.65s] DEBUG: Session 12960 got 1 message(s) from PAM [+1.65s] DEBUG: Prompt greeter with 1 message(s) == Tom left from the PC with the unplugged USB device == == After a few minutes, John came at the PC then input Tom's password == [+22.02s] DEBUG: Continue authentication [+22.06s] DEBUG: Session 12960 authentication complete with return value 0: Success [+22.06s] DEBUG: Authenticate result for user tom: Success [+22.08s] DEBUG: User tom authorized [+22.10s] DEBUG: Greeter requests session ubuntu [+22.10s] DEBUG: Using session ubuntu [+22.10s] DEBUG: Stopping greeter snip [+22.44s] DEBUG: Starting session ubuntu as user tom == John can login as Tom without any USB device, just input password == That is undesired behavior. lightdm does not timeout authentication or check authenticate result for USB device again at real login. Putting pam_usb.so after pam_unix.so can prevent the situation though. ** Changed in: lightdm (Ubuntu) Status: Incomplete = New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1159457 Title: lightdm allows login with unplugged device needed for authentication Status in “lightdm” package in Ubuntu: Confirmed Bug description: Even if I unplugged device needed for authentication, lightdm still allows login without the device. How to reproduce: 1. setup pam_usb.so or pam_blue.so with auth sufficient on /etc/pam.d/common-auth pam_usb.so: https://github.com/aluzzardi/pam_usb/wiki/Getting-Started pam_blue.so: http://tjworld.net/wiki/Linux/Ubuntu/BluetoothLoginAndLocking 2. login to the user with the device 3. logout 4. unplug the USB device or turning off the bluetooth device 5. press Enter to login Expected result: login rejected or fallback to password login Actual result: login allowed, without the device or password WORKAROUND: make sure to press Esc on lightdm *after* unplugging the device ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: lightdm 1.2.3-0ubuntu1 ProcVersionSignature: Ubuntu 3.5.0-26.42~precise1-generic 3.5.7.6 Uname: Linux 3.5.0-26-generic x86_64 ApportVersion: 2.0.1-0ubuntu17.1 Architecture: amd64 CheckboxSubmission: 65fa7c094c0293dd4e9a81057a36a8fe CheckboxSystem: 0657dd966bc74d2b22e7c94051aa55af Date: Mon Mar 25 01:06:44 2013 EcryptfsInUse: Yes InstallationMedia: Ubuntu 12.04.2 LTS Precise Pangolin - Release amd64 (20130213) MarkForUpload: True ProcEnviron: TERM=xterm SHELL=/bin/bash PATH=(custom, no user) LANG=ja_JP.UTF-8 SourcePackage: lightdm UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1159457/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1159457] Re: lightdm allows login with unplugged device needed for authentication
Ah, yes, I see what's happening now. The pam_usb module is granting access without a prompt as soon as lightdm spawns which lightdm caches even when you remove the token. ** Changed in: lightdm (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1159457 Title: lightdm allows login with unplugged device needed for authentication Status in “lightdm” package in Ubuntu: Confirmed Bug description: Even if I unplugged device needed for authentication, lightdm still allows login without the device. How to reproduce: 1. setup pam_usb.so or pam_blue.so with auth sufficient on /etc/pam.d/common-auth pam_usb.so: https://github.com/aluzzardi/pam_usb/wiki/Getting-Started pam_blue.so: http://tjworld.net/wiki/Linux/Ubuntu/BluetoothLoginAndLocking 2. login to the user with the device 3. logout 4. unplug the USB device or turning off the bluetooth device 5. press Enter to login Expected result: login rejected or fallback to password login Actual result: login allowed, without the device or password WORKAROUND: make sure to press Esc on lightdm *after* unplugging the device ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: lightdm 1.2.3-0ubuntu1 ProcVersionSignature: Ubuntu 3.5.0-26.42~precise1-generic 3.5.7.6 Uname: Linux 3.5.0-26-generic x86_64 ApportVersion: 2.0.1-0ubuntu17.1 Architecture: amd64 CheckboxSubmission: 65fa7c094c0293dd4e9a81057a36a8fe CheckboxSystem: 0657dd966bc74d2b22e7c94051aa55af Date: Mon Mar 25 01:06:44 2013 EcryptfsInUse: Yes InstallationMedia: Ubuntu 12.04.2 LTS Precise Pangolin - Release amd64 (20130213) MarkForUpload: True ProcEnviron: TERM=xterm SHELL=/bin/bash PATH=(custom, no user) LANG=ja_JP.UTF-8 SourcePackage: lightdm UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1159457/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1159457] Re: lightdm allows login with unplugged device needed for authentication
You can work around the behaviour by putting the following in the lightdm.conf file: greeter-hide-users=true -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1159457 Title: lightdm allows login with unplugged device needed for authentication Status in “lightdm” package in Ubuntu: Confirmed Bug description: Even if I unplugged device needed for authentication, lightdm still allows login without the device. How to reproduce: 1. setup pam_usb.so or pam_blue.so with auth sufficient on /etc/pam.d/common-auth pam_usb.so: https://github.com/aluzzardi/pam_usb/wiki/Getting-Started pam_blue.so: http://tjworld.net/wiki/Linux/Ubuntu/BluetoothLoginAndLocking 2. login to the user with the device 3. logout 4. unplug the USB device or turning off the bluetooth device 5. press Enter to login Expected result: login rejected or fallback to password login Actual result: login allowed, without the device or password WORKAROUND: make sure to press Esc on lightdm *after* unplugging the device ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: lightdm 1.2.3-0ubuntu1 ProcVersionSignature: Ubuntu 3.5.0-26.42~precise1-generic 3.5.7.6 Uname: Linux 3.5.0-26-generic x86_64 ApportVersion: 2.0.1-0ubuntu17.1 Architecture: amd64 CheckboxSubmission: 65fa7c094c0293dd4e9a81057a36a8fe CheckboxSystem: 0657dd966bc74d2b22e7c94051aa55af Date: Mon Mar 25 01:06:44 2013 EcryptfsInUse: Yes InstallationMedia: Ubuntu 12.04.2 LTS Precise Pangolin - Release amd64 (20130213) MarkForUpload: True ProcEnviron: TERM=xterm SHELL=/bin/bash PATH=(custom, no user) LANG=ja_JP.UTF-8 SourcePackage: lightdm UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1159457/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1159457] Re: lightdm allows login with unplugged device needed for authentication
== logout== Mar 25 00:58:29 test-machine lightdm[5833]: pam_unix(lightdm:session): session closed for user usb-auth == start ligthdm == Mar 25 00:58:31 test-machine lightdm: pam_unix(lightdm:session): session opened for user lightdm by (uid=0) Mar 25 00:58:31 test-machine lightdm: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :1 Mar 25 00:58:32 test-machine lightdm: pam_succeed_if(lightdm:auth): requirement user ingroup nopasswdlogin not met by user usb-auth Mar 25 00:58:32 test-machine pam_usb[7042]: pam_usb v0.5.0 Mar 25 00:58:32 test-machine pam_usb[7042]: Authentication request for user usb-auth (lightdm) Mar 25 00:58:32 test-machine pam_usb[7042]: Device MyKey2 is connected (good). Mar 25 00:58:32 test-machine pam_usb[7042]: Performing one time pad verification... Mar 25 00:58:32 test-machine pam_usb[7042]: Access granted. Mar 25 00:58:32 test-machine dbus[1056]: [system] Rejected send message, 2 matched rules; type=method_call, sender=:1.213 (uid=104 pid=7055 comm=/usr/lib/indicator-datetime/indicator-datetime-ser) interface=org.freedesktop.DBus.Properties member=GetAll error name=(unset) requested_reply=0 destination=:1.17 (uid=0 pid=1380 comm=/usr/sbin/console-kit-daemon --no-daemon ) == unplug the USB device == == login == Mar 25 00:58:39 test-machine lightdm: pam_unix(lightdm:session): session closed for user lightdm Mar 25 00:58:39 test-machine lightdm[7042]: pam_unix(lightdm:session): session opened for user usb-auth by (uid=0) Mar 25 00:58:39 test-machine lightdm[7042]: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :1 == login success without the USB device == -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1159457 Title: lightdm allows login with unplugged device needed for authentication Status in “lightdm” package in Ubuntu: New Bug description: Even if I unplugged device needed for authentication, lightdm still allows login without the device. How to reproduce: 1. setup pam_usb.so or pam_blue.so with auth sufficient on /etc/pam.d/common-auth pam_usb.so: https://github.com/aluzzardi/pam_usb/wiki/Getting-Started pam_blue.so: http://tjworld.net/wiki/Linux/Ubuntu/BluetoothLoginAndLocking 2. login to the user with the device 3. logout 4. unplug the USB device or turning off the bluetooth device 5. press Enter to login Expected result: login rejected or fallback to password login Actual result: login allowed, without the device or password WORKAROUND: make sure to press Esc on lightdm *after* unplugging the device ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: lightdm 1.2.3-0ubuntu1 ProcVersionSignature: Ubuntu 3.5.0-26.42~precise1-generic 3.5.7.6 Uname: Linux 3.5.0-26-generic x86_64 ApportVersion: 2.0.1-0ubuntu17.1 Architecture: amd64 CheckboxSubmission: 65fa7c094c0293dd4e9a81057a36a8fe CheckboxSystem: 0657dd966bc74d2b22e7c94051aa55af Date: Mon Mar 25 01:06:44 2013 EcryptfsInUse: Yes InstallationMedia: Ubuntu 12.04.2 LTS Precise Pangolin - Release amd64 (20130213) MarkForUpload: True ProcEnviron: TERM=xterm SHELL=/bin/bash PATH=(custom, no user) LANG=ja_JP.UTF-8 SourcePackage: lightdm UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1159457/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp