Red Hat Bugzilla – Bug 197748
GDM lets people know if it's a bad password or a bad username when authenticating
Last modified: 2007-11-30 17:11:36 EST
Description of problem:
When authenticating with GDM, I've noticed that one can tell if a it's a bad
user or a bad password from the combo of bad username/password, giving hackers
- If it's a good username with a bad password, PAM returns with the 'incorrect
username or password. Please try again' message.
- If it's a bad username (eg, the user isn't added on the system) a popup dialog
comes up saying 'authentication failure'
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Start GDM
2. Login with a good username, bad password
3. Try again with a bas username, and the password doesn't matter as the user
isn't on the system anyways...
4. Compare the results of step (2) and (3)
Either a popup dialog or text message is returned, and based on this result a
hacker can possible find out if a user exists on the system.
GDM shows consistent failure results. Could be fixed easily by implementing this
other bug report:
Simply a shake as it does in Mac OS X would not let the hackers or anyone else
know if they have a bad username or a bad password. It's not too big an issue in
terms of worrying about hackers unless you have VNC or some other GUI remote
administration server running, but nevertheless it's still a big security issue.
Could this be a PAM bug? I recall this happening a while back with a SSH
auto-blocker and it was due to PAM.
Any news on this issue?
When you enter an invalid username does it fail immediately or ask for a password?
No, it accepts the username and password no matter what, but it's the result
(valid user, bad password) = dialog resets and white text appears under 'Enter
Username' stating that you entered bad credentials
(invalid user, any password) = a popup dialog comes up with a red X and it says
Can you attach you /etc/pam.d/system-auth file?
Created attachment 132975 [details]
does it say "Authentication Error" or "Authentication Failed" ?
I've changed the version to 'devel' as it's still happening in the development
versions GDM. Do you think this issue will be resolved for FC6?
Yes, we should fix this before FC6 is released.
So this turns out to be a bug in the pam_succeed_if PAM module.
Created attachment 133654 [details]
return "user unknown" error instead of "service error" when the user is unknown.
GDM currently shows the desired error message when the error code is
PAM_AUTH_ERR or PAM_USER_UNKNOWN, and shows the other error message when there
is a problem with the pam configuration.
the pam_succeed_if.so module is returning the wrong error code. The above
patch should fix things up.
reassigning to PAM maintainer
*** Bug 201787 has been marked as a duplicate of this bug. ***