[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled via gnome-system-tools
This bug was fixed in the package ubuntu-mate-meta - 1.282 --- ubuntu-mate-meta (1.282) jammy; urgency=medium * Refreshed dependencies * Removed gnome-system-tools from core-recommends, desktop-recommends (LP: #1706770) -- Martin Wimpress Sat, 09 Apr 2022 01:01:57 +0100 ** Changed in: ubuntu-mate-meta (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled via gnome- system-tools Status in arctica-greeter package in Ubuntu: Invalid Status in gnome-system-tools package in Ubuntu: Triaged Status in lightdm package in Ubuntu: Invalid Status in mate-screensaver package in Ubuntu: Invalid Status in mate-session-manager package in Ubuntu: Invalid Status in ubuntu-mate-meta package in Ubuntu: Fix Released Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/arctica-greeter/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled via gnome-system-tools
** Changed in: ubuntu-mate-meta (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled via gnome- system-tools Status in arctica-greeter package in Ubuntu: Invalid Status in gnome-system-tools package in Ubuntu: Triaged Status in lightdm package in Ubuntu: Invalid Status in mate-screensaver package in Ubuntu: Invalid Status in mate-session-manager package in Ubuntu: Invalid Status in ubuntu-mate-meta package in Ubuntu: Fix Committed Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/arctica-greeter/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
This issue is caused by the Users and Groups utility which is part of `gnome-system-tools`. When changing the password from "Asked on logon" to "Not asked on logon" the user is added to the `nopasswdlogin` group and this is what causes the switch-user screen to not ask for a password. If you select the option to not require a password to login during installation, it is not possible to bypass authentication when switching users. This is because `autologin-user` is set to your username in `/etc/lightdm/lightdm.conf` and that works correctly. `gnome-system-tools` was originally included in Ubuntu MATE because it offers user and time management features. But it can now be removed from the Ubuntu MATE default install because recent versions of MATE Control Center provide user and time management. ** Changed in: ubuntu-mate-meta (Ubuntu) Status: Triaged => In Progress ** Summary changed: - Lock screen can be bypassed when auto-login is enabled. + Lock screen can be bypassed when auto-login is enabled via gnome-system-tools -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled via gnome- system-tools Status in arctica-greeter package in Ubuntu: Invalid Status in gnome-system-tools package in Ubuntu: Triaged Status in lightdm package in Ubuntu: Invalid Status in mate-screensaver package in Ubuntu: Invalid Status in mate-session-manager package in Ubuntu: Invalid Status in ubuntu-mate-meta package in Ubuntu: In Progress Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/arctica-greeter/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
** Also affects: gnome-system-tools (Ubuntu) Importance: Undecided Status: New ** Also affects: ubuntu-mate-meta (Ubuntu) Importance: Undecided Status: New ** Changed in: lightdm (Ubuntu) Status: Fix Committed => Invalid ** Changed in: arctica-greeter (Ubuntu) Status: New => Invalid ** Changed in: gnome-system-tools (Ubuntu) Status: New => Confirmed ** Changed in: gnome-system-tools (Ubuntu) Status: Confirmed => Triaged ** Changed in: mate-screensaver (Ubuntu) Status: New => Invalid ** Changed in: ubuntu-mate-meta (Ubuntu) Status: New => Triaged ** Changed in: ubuntu-mate-meta (Ubuntu) Importance: Undecided => Critical ** Changed in: ubuntu-mate-meta (Ubuntu) Assignee: (unassigned) => Martin Wimpress (flexiondotorg) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in arctica-greeter package in Ubuntu: Invalid Status in gnome-system-tools package in Ubuntu: Triaged Status in lightdm package in Ubuntu: Invalid Status in mate-screensaver package in Ubuntu: Invalid Status in mate-session-manager package in Ubuntu: Invalid Status in ubuntu-mate-meta package in Ubuntu: Triaged Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/arctica-greeter/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
** Also affects: mate-screensaver (Ubuntu) Importance: Undecided Status: New ** Also affects: arctica-greeter (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in arctica-greeter package in Ubuntu: New Status in gnome-system-tools package in Ubuntu: New Status in lightdm package in Ubuntu: Fix Committed Status in mate-screensaver package in Ubuntu: New Status in mate-session-manager package in Ubuntu: Invalid Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/arctica-greeter/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
** No longer affects: ubuntu-mate ** Changed in: mate-session-manager (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in arctica-greeter package in Ubuntu: New Status in lightdm package in Ubuntu: Fix Committed Status in mate-screensaver package in Ubuntu: New Status in mate-session-manager package in Ubuntu: Invalid Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/arctica-greeter/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
** Tags added: bionic focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in Ubuntu MATE: Confirmed Status in lightdm package in Ubuntu: Fix Committed Status in mate-session-manager package in Ubuntu: Confirmed Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
#6 Chris quote: 4. Go to "System" -> "Administration" -> "Users and Groups". 5. Change password from "Asked on logon" to "Not asked on logon". 6. Lock your machine. 7. Press "Switch User". 8. Observe no password is required to unlock as the current user. I confirm this issue on Ubuntu Mate 20.04.0 in a virtual machine. I can reproduce it each times. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in Ubuntu MATE: Confirmed Status in lightdm package in Ubuntu: Fix Committed Status in mate-session-manager package in Ubuntu: Confirmed Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
Dammit! I cant believe this level of lack of security could happen in this project. WHAT A SHAME! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in Ubuntu MATE: Confirmed Status in lightdm package in Ubuntu: Fix Committed Status in mate-session-manager package in Ubuntu: Confirmed Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
** Tags added: xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in Ubuntu MATE: Confirmed Status in lightdm package in Ubuntu: Fix Committed Status in mate-session-manager package in Ubuntu: Confirmed Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
** Changed in: lightdm (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in Ubuntu MATE: Confirmed Status in lightdm package in Ubuntu: Fix Committed Status in mate-session-manager package in Ubuntu: Confirmed Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in Ubuntu MATE: Confirmed Status in lightdm package in Ubuntu: Confirmed Status in mate-session-manager package in Ubuntu: Confirmed Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
** Changed in: ubuntu-mate Status: New => Confirmed ** Information type changed from Public Security to Private Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in Ubuntu MATE: Confirmed Status in lightdm package in Ubuntu: Confirmed Status in mate-session-manager package in Ubuntu: Confirmed Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
After a bit more investigation, being in the `nopasswdlogin` group is what causes the switch-user screen to not ask for a password. Having `autologin-user` set to your username in /etc/lightdm/lightdm.conf is what works correctly. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in ubuntu-mate: New Status in lightdm package in Ubuntu: Confirmed Status in mate-session-manager package in Ubuntu: Confirmed Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
If it helps, I've reproduced this in a fresh Ubuntu Mate virtual machine. 1. Install Ubuntu Mate following all the usual steps until you get to the account creation screen. 2. Create a user account with a password and leave "require password at login" checked. 3. Finish installation and reboot. 4. Go to "System" -> "Administration" -> "Users and Groups". 5. Change password from "Asked on logon" to "Not asked on logon". 6. Lock your machine. 7. Press "Switch User". 8. Observe no password is required to unlock as the current user. For some reason, the problem doesn't happen when you set your account to not require a password at installation. Even more oddly, the user account still shows "Asked on logon" for the user created at installation, even though the option to not require a password was checked, and seems to be effective at boot. I guess they must just be implemented in different ways. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in ubuntu-mate: New Status in lightdm package in Ubuntu: Confirmed Status in mate-session-manager package in Ubuntu: Confirmed Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: mate-session-manager (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in ubuntu-mate: New Status in lightdm package in Ubuntu: Confirmed Status in mate-session-manager package in Ubuntu: Confirmed Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: lightdm (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in ubuntu-mate: New Status in lightdm package in Ubuntu: Confirmed Status in mate-session-manager package in Ubuntu: Confirmed Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
Unable to reproduce this in Ubuntu MATE 17.04. I use full-disk encryption too and enabled auto-login as well. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in ubuntu-mate: New Status in lightdm package in Ubuntu: New Status in mate-session-manager package in Ubuntu: New Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.
** Also affects: lightdm (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1706770 Title: Lock screen can be bypassed when auto-login is enabled. Status in ubuntu-mate: New Status in lightdm package in Ubuntu: New Status in mate-session-manager package in Ubuntu: New Bug description: 16.04 LTS = Hi, My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot. When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password. Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled). Thanks, Chris To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
