Red Hat Bugzilla – Bug 1271377
Corner case where sddm allows the login even if the provided password is wrong
Last modified: 2015-10-14 03:21:38 EDT
Description of problem:
I found what seems a corner case where sddm allows the login even if the provided password is (strictly speaking...) actually "wrong". This might not be a true bug, but *in my opinion* the behavior of sddm is not what an user expects.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure an user without password (with initial-setup, for example)
2. Boot Fedora 23 KDE
3. Type random characters on the password field
1. sddm should refuse the login (the real password is blank).
1. sddm allows the user to login, even if the password is wrong.
Since I encountered the same situation with lightdm (https://bugzilla.redhat.com/show_bug.cgi?id=1268649) and lxdm (https://bugzilla.redhat.com/show_bug.cgi?id=1268624) too, I'm starting to think that I'm wrong and this is an expected behavior.
It probably is expected, and is handled at the PAM layer (which is why all login managers behave the same).
Hi Rex, thank you for the quick answer.
(In reply to Rex Dieter from comment #1)
> It probably is expected, and is handled at the PAM layer (which is why all
> login managers behave the same).
So... That's might be the reason why I encountered this while unlocking the screen too: filing another one report for it, seems useless, then.
Reassigning to pam, for authoritative opinion on how blank passwords are expected to work.
*** Bug 1268649 has been marked as a duplicate of this bug. ***
*** Bug 1268624 has been marked as a duplicate of this bug. ***
Yes, it is an expected behavior. If the display manager actually asked for the password only in case the PAM library calls the conversation function it would not ask for the password at all in this case. So notabug, at least not on the PAM side.