Description of problem: When authenticating with GDM, I've noticed that one can tell if a it's a bad user or a bad password from the combo of bad username/password, giving hackers an edge: - If it's a good username with a bad password, PAM returns with the 'incorrect username or password. Please try again' message. - If it's a bad username (eg, the user isn't added on the system) a popup dialog comes up saying 'authentication failure' Version-Release number of selected component (if applicable): gdm 2.14.x gdm 2.15.x How reproducible: Always Steps to Reproduce: 1. Start GDM 2. Login with a good username, bad password 3. Try again with a bas username, and the password doesn't matter as the user isn't on the system anyways... 4. Compare the results of step (2) and (3) Actual results: Either a popup dialog or text message is returned, and based on this result a hacker can possible find out if a user exists on the system. Expected results: GDM shows consistent failure results. Could be fixed easily by implementing this other bug report: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178856 Simply a shake as it does in Mac OS X would not let the hackers or anyone else know if they have a bad username or a bad password. It's not too big an issue in terms of worrying about hackers unless you have VNC or some other GUI remote administration server running, but nevertheless it's still a big security issue. Additional info: Could this be a PAM bug? I recall this happening a while back with a SSH auto-blocker and it was due to PAM.
Any news on this issue? Stewart
When you enter an invalid username does it fail immediately or ask for a password?
No, it accepts the username and password no matter what, but it's the result that changes: (valid user, bad password) = dialog resets and white text appears under 'Enter Username' stating that you entered bad credentials (invalid user, any password) = a popup dialog comes up with a red X and it says 'Authentication Error'.
Can you attach you /etc/pam.d/system-auth file?
Created attachment 132975 [details] Here's /etc/pam.d/system-auth
does it say "Authentication Error" or "Authentication Failed" ?
Authentication Failed
I've changed the version to 'devel' as it's still happening in the development versions GDM. Do you think this issue will be resolved for FC6?
Yes, we should fix this before FC6 is released.
So this turns out to be a bug in the pam_succeed_if PAM module.
Created attachment 133654 [details] return "user unknown" error instead of "service error" when the user is unknown. GDM currently shows the desired error message when the error code is PAM_AUTH_ERR or PAM_USER_UNKNOWN, and shows the other error message when there is a problem with the pam configuration. the pam_succeed_if.so module is returning the wrong error code. The above patch should fix things up.
reassigning to PAM maintainer
*** Bug 201787 has been marked as a duplicate of this bug. ***