Bug 2030043
| Summary: | GNOME is not showing "There were * failed login attempts since the last successful login". | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Chino Soliard <csoliard> | ||||
| Component: | gdm | Assignee: | Ray Strode [halfline] <rstrode> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Michael Boisvert <mboisver> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 8.4 | CC: | amike, bthekkep, dahchanson, ghildstrom, hdegoede, jwright, mboisver, mkielian, mscott, pbrezina, rstrode, sbarcomb, tpelka, tpopela, vrajput | ||||
| Target Milestone: | rc | Keywords: | Triaged | ||||
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | gdm-40.0-25.el8 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 2073275 (view as bug list) | Environment: | |||||
| Last Closed: | 2023-05-16 08:27:13 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 2073275 | ||||||
| Attachments: |
|
||||||
(In reply to Adrian Soliard from comment #0) > I note that, by default, RHEL8 does not show those mesage, so modifying the > postlogin PAM stack to > look like the RHEL7 one, but it doesn't works. > _____________________________________________________________________________ > ______________ > > RHEL7 > > cat /etc/redhat-release ;cat /etc/pam.d/postlogin > Red Hat Enterprise Linux Server release 7.9 (Maipo) > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > > > session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* > service !~ su* quiet > session [default=1] pam_lastlog.so nowtmp showfailed > session optional pam_lastlog.so silent noupdate showfailed > > RHEL8 > > cat /etc/redhat-release ;cat /etc/pam.d/postlogin > Red Hat Enterprise Linux release 8.4 (Ootpa) > # Generated by authselect on Tue Dec 7 14:14:26 2021 > # Do not modify this file manually. > > #session optional pam_umask.so silent > session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* > service !~ su* quiet > #session [default=1] pam_lastlog.so nowtmp silent > session [default=1] pam_lastlog.so nowtmp showfailed > session optional pam_lastlog.so silent noupdate > showfailed Your assumption to change the pam stack is correct. I also changed it and in the last successful authentication after several failed attempts, I was able to see the following message on the screen: "Last login: Wed Dec 15 16:25:10 CET 2021 on tty2". If you follow the same steps with ssh, that is to say, several failed authentication attempts and then the last one is successful: $ ssh testuser@localhost Last failed login: Wed Dec 15 16:19:34 CET 2021 from ::1 on ssh:notty There were 3 failed login attempts since the last successful login. Last login: Wed Dec 15 16:19:14 2021 from ::1 The second message is the expected one. Curiously, the last message from ssh is the one that appears on the gnome login screen. So, I wonder, is that screen able to show several messages at the same time? Or does it only show the last one? Since it seems to work with other tools I think that the problem lies on the desktop environment, so I'm moving the bugzilla to that team. If you have any question don't hesitate to contact me. > Additional info: > > I recreated the case with RHEL8.4. The issue was discovered using RHEL8.3 I was able to reproduce it with RHEL8.2. Testing Procedure: [ Test failed Text Console Login display in subsequent Gnome Login ] On a freshly instanced RHEL 7/8 system that has a GUI ( Gnome Installed and active ) : 1. Attempt Login via text mode to normal user ( shadowman ) using [ Ctrl + Alt + F2 ] for text console and use deliberately incorrect password. 2. Once it fails, press [ Ctrl + Alt + F1 ] to bring up the GUI and login as same user using correct password into GUI: 3. System SHOULD show the failed login in the GUI Screen, It does in RHEL 7, but not in RHEL 8. Test Results: RHEL 7.9: This is the baseline Comparison [ Messages Displayed: ] Last Login: ( Date + Time ) Last Failed Failed - ( Date + Time = Terminal ( tty2) There has been 1 Failed login attempt since last login RHEL 8.0 [ No Notices were displayed ] RHEL 8.1 [ No Notices were displayed ] RHEL 8.2 [ No Notices were displayed ] RHEL 8.3 [ No Notices were displayed ] RHEL 8.4 [ No Notices were displayed ] RHEL 8.5 [ No Notices were displayed ] Note: I have not tested the ssh failed logins and Gnome failed logins yet, but plan on doing so. I have completed another set of tests, this time using SSH logins that have failed: Testing Procedure: [ Test failed SSH Login display in subsequent Gnome Login ] On a freshly instanced RHEL 7/8 system that has a Gnome Installed and active: 1. Attempt Login via text mode to normal user ( shadowman ) using inbound SSH and use deliberately incorrect password. 2. Once it fails, login as same user using correct password into GUI: 3. System SHOULD show the failed login in the GUI Screen, It does in RHEL 7, but not in RHEL 8. Test Results: RHEL 7.9: This is the baseline Comparison [ Messages Displayed: ] Last Login: ( Date + Time ) Last Failed Failed - ( Date + Time = Terminal ( ssh ) There has been 1 Failed login attempt since last login Testing Note: This Time I am only Testing RHEL 8.0 , 8.4 , and 8.5 as previous test indicates it goes back to RHEL 8.0 and most current RHEL is 8.4/8.5 RHEL 8.0 [ No Notices were displayed ] RHEL 8.4 [ No Notices were displayed ] RHEL 8.5 [ No Notices were displayed ] So it seems to show the message on the graphical login screen, if a failed login happens at a virtual terminal.
This suggests to me that perhaps gdm is failing to write a btmp record for failed log ins.
A quick peek of the code:
#if defined(HAVE_UPDWTMPX)•
updwtmpx (GDM_BAD_SESSION_RECORDS_FILE, &session_record);•
#elif defined(HAVE_UPDWTMP)•
updwtmp(GDM_BAD_SESSION_RECORDS_FILE, &session_record);•
#endif•
So perhaps those defines aren't getting set since we switched to the meson build system? just a guess, will need to investigate further.
re comment 3, what does your /etc/pam.d/postlogin file look like ? is it the same as the one mentioned in comment 0? [root@rhel8test ~]# ll /etc/pam.d/postlogin lrwxrwxrwx. 1 root root 25 Jan 10 08:17 /etc/pam.d/postlogin -> /etc/authselect/postlogin [root@rhel8test ~]# ll /etc/authselect/postlogin -rw-r--r--. 1 root root 397 Jan 10 08:17 /etc/authselect/postlogin [root@rhel8test ~]# cat /etc/authselect/postlogin # Generated by authselect on Mon Jan 10 08:17:01 2022 # Do not modify this file manually. session optional pam_umask.so silent session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed This issue the btmp record as noted in comment 4. If you fails logins at the terminal or ssh, the failures are correctly showed in GDM during login. So from poking around a little, this doesn't seem to be a build system problem after all. It's a regression caused by switching to user sessions on a different tty than the login screen. The problem is, I believe, that the login screen's session isn't ever assigned it's display name. The display name is needed to write a btmp record. gdm_manager_handle_register_display only looks for user sessions. it needs to look for login screen sessions as well I think. This is a regression of the NIST 800-53 AC-9(1) security control: The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access. This needs to be fixed for government customers needing to adhere to NIST & DISA STIG standards. I can easily reproduce the issue on 8.7 (thanks for the well written bug report). Adding necessary ack, etc. Created attachment 1919147 [details]
patch to fix btmp accounting
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (gdm bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2779 |
Description of problem: GNOME is not showing the message "There were * failed login attempts after the last successful login". TTY is showing the message. This is happening just in RHEL8, RHEL7 shows the message. I note that, by default, RHEL8 does not show those mesage, so modifying the postlogin PAM stack to look like the RHEL7 one, but it doesn't works. ___________________________________________________________________________________________ RHEL7 cat /etc/redhat-release ;cat /etc/pam.d/postlogin Red Hat Enterprise Linux Server release 7.9 (Maipo) #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed RHEL8 cat /etc/redhat-release ;cat /etc/pam.d/postlogin Red Hat Enterprise Linux release 8.4 (Ootpa) # Generated by authselect on Tue Dec 7 14:14:26 2021 # Do not modify this file manually. #session optional pam_umask.so silent session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet #session [default=1] pam_lastlog.so nowtmp silent session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed __________________________________________________________________________________________________- Version-Release number of selected component (if applicable): # yum list installed gnome* Updating Subscription Management repositories. Unable to read consumer identity This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Installed Packages gnome-autoar.x86_64 0.2.3-1.el8 @AppStream gnome-bluetooth.x86_64 1:3.34.3-1.el8 @AppStream gnome-bluetooth-libs.x86_64 1:3.34.3-1.el8 @AppStream gnome-boxes.x86_64 3.36.5-8.el8 @AppStream gnome-calculator.x86_64 3.28.2-1.el8 @AppStream gnome-characters.x86_64 3.28.2-1.el8 @AppStream gnome-classic-session.noarch 3.32.1-14.el8 @AppStream gnome-color-manager.x86_64 3.28.0-3.el8 @AppStream gnome-control-center.x86_64 3.28.2-27.el8 @AppStream gnome-control-center-filesystem.noarch 3.28.2-27.el8 @AppStream gnome-desktop3.x86_64 3.32.2-1.el8 @AppStream gnome-disk-utility.x86_64 3.28.3-2.el8 @AppStream gnome-font-viewer.x86_64 3.28.0-1.el8 @AppStream gnome-getting-started-docs.noarch 3.28.2-1.el8 @AppStream gnome-initial-setup.x86_64 3.28.0-9.el8 @AppStream gnome-keyring.x86_64 3.28.2-1.el8 @AppStream gnome-keyring-pam.x86_64 3.28.2-1.el8 @AppStream gnome-logs.x86_64 3.28.5-3.el8 @AppStream gnome-menus.x86_64 3.13.3-11.el8 @AppStream gnome-online-accounts.x86_64 3.28.2-2.el8 @AppStream gnome-remote-desktop.x86_64 0.1.8-3.el8 @AppStream gnome-screenshot.x86_64 3.26.0-3.el8 @AppStream gnome-session.x86_64 3.28.1-10.el8 @AppStream gnome-session-wayland-session.x86_64 3.28.1-10.el8 @AppStream gnome-session-xsession.x86_64 3.28.1-10.el8 @AppStream gnome-settings-daemon.x86_64 3.32.0-14.el8 @AppStream gnome-shell.x86_64 3.32.2-30.el8 @AppStream gnome-shell-extension-apps-menu.noarch 3.32.1-14.el8 @AppStream gnome-shell-extension-common.noarch 3.32.1-14.el8 @AppStream gnome-shell-extension-desktop-icons.noarch 3.32.1-14.el8 @AppStream gnome-shell-extension-horizontal-workspaces.noarch 3.32.1-14.el8 @AppStream gnome-shell-extension-launch-new-instance.noarch 3.32.1-14.el8 @AppStream gnome-shell-extension-places-menu.noarch 3.32.1-14.el8 @AppStream gnome-shell-extension-window-list.noarch 3.32.1-14.el8 @AppStream gnome-software.x86_64 3.36.1-5.el8 @AppStream gnome-system-monitor.x86_64 3.28.2-1.el8 @AppStream gnome-terminal.x86_64 3.28.3-3.el8 @AppStream gnome-terminal-nautilus.x86_64 3.28.3-3.el8 @AppStream gnome-themes-standard.x86_64 3.22.3-4.el8 @AppStream gnome-user-docs.noarch 3.28.2-1.el8 @AppStream gnome-video-effects.noarch 0.4.3-3.el8 @AppStream __________________________________________________________________________________________________- How reproducible: It is happening all time. I created fresh installation of both RHEL7 and RHEL8 to isolate the issue to RHEL8. As said previously, RHEL8 does not show any kind of message with the default postlogin PAM stack. Modifying postlogin PAM stack to look like RHEL7 only shows the last successful login date. __________________________________________________________________________________________________- Steps to Reproduce (from fresh RHEL8): 1. Modify postlogin to look like the following (similar to RHEL7): #session optional pam_umask.so silent session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet #session [default=1] pam_lastlog.so nowtmp silent session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed 2. Simulate failed logins. 3. Login using the correct credentials. __________________________________________________________________________________________________- Actual results: Not showing "There were * failed login attempts after the last successful login" Showing last successful login. Expected results: Show both "There were * failed login attempts after the last successful login" and last successful login. __________________________________________________________________________________________________- Additional info: I recreated the case with RHEL8.4. The issue was discovered using RHEL8.3