Red Hat Bugzilla – Bug 201507
CVE-2006-3742 second login attempt by validated user bypasses login passwords
Last modified: 2007-11-30 17:11:39 EST
Description of problem:
Using KDM and KDE (not GDM), a regular user must enter a password only once.
After logging out, anyone can log in as that user without a password. Logout
memorizes passwords until the next reboot.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Use KDM and KDE as login manager and setup.
2. Login as a regular user (might work with root if root is allowed, don't know).
4. Log back in under KDM without entering a password.
Login always succeeds until rebooted.
Login should be denied without a password.
Manually running, as root from a console, "init 3" then "init 5" also removes
the password memorization.
I have not tested whether remote logins have this same behavior when set up for
I also found out that if I log out, then control-alt-F1 to get to a console,
then alt-F7 to get back, it also stops the bug from showing up. It seems to
cache the password so long as the KDM manager itself is not made to give up any
cache it has for the most recent session. It seems that there is some sort of
current session cache that KDM fails to give up after the KDE logout, but other
actions do clear the cache (maybe it isn't cached, but it sure acts the same as
a cache with a buggy mechanism for knowing when to invalidate it).
I see this behavior with FC5 and FC6t2.
I'm assigning this issue CVE-2006-3742.
There doesn't seem to be an upstream bug for this issue. If there are no
complaints, I'll forward this issue on to the KDE security team and vendor-sec.
I have tried above steps and cannot reproduce this problem here with current
fc5 and FC6 (rawhide).
It seems you have enabled kdm autologin, it does not require password if this
option is enable. This option is disable by default.
could you please check again? Thank
No autologin is enabled. I login as myself, logout, then type my username in
and hit enter while the username textbox has focus. Without entering a password
I am able to login.
The kdm configuration file is the one distributed in the kdebase rpm file.
# rpm -q kdebase
I did some testing regarding this problem and it didn't manifest itself on
bootup, but only after I did a telinit 3, telinit 5.
i have now reinstalled kdebase-3.5.4-0.2.fc5 and made sure that i use
the kdm configuration in kdebase.
I login as myself (than), then logout and type my username (than)
in "Username:" and hit enter, the cursor jumps immediately into "Password:"
I have to enter my correct password here otherwise i got "Login Faild"
Strange! why does it work on my machine?
Could you please send /etc/X11/xdm/kdmrc and /etc/pam.d/kdm?
Created attachment 134836 [details]
My kdmrc file
Created attachment 134837 [details]
My /etc/pam.d/kdm file
I not enabled any autologin...perhaps if this is a mistaken default installation
on fedora it would explain it...attaching kdm and kdm-np from pam.d right after
I add this note.
I have to wonder though if this would have an effect on any other console
login...I'm guessing not. In any case, KDM is the only login with this behavior,
and certainly it was not enabled by myself.
Created attachment 134873 [details]
Unmodified by myself.
Created attachment 134874 [details]
From fc5, unmodified by myself.
i can now reproduce this bug on my test machine too. It's not a bug in kde
upstream, but it's a bug in our pam config file. It's only affected in
I will push new kdebase in fc5-update and rawhide soon.
Thanks for your report.
Thanks Than. Can you give me the fix, I'll at least give the vendor-sec crowd a
heads up (in the event any of them are vulnerable). Feel free to push updates
whenever you wish.
Please be sure to release the FC5 update as a secuirty update (using the CVE id
in the summary)
here is the fix.
--- kdebase-3.5.4/kde.pamd.redhat 2005-09-10 10:26:16.000000000 +0200
+++ kdebase-3.5.4/kde.pamd 2006-08-25 14:15:02.000000000 +0200
@@ -1,7 +1,9 @@
-auth required /lib/security/pam_pwdb.so shadow nullok
-auth required /lib/security/pam_nologin.so
-account required /lib/security/pam_pwdb.so
-password required /lib/security/pam_cracklib.so
-password required /lib/security/pam_pwdb.so shadow nullok use_authtok
-session required /lib/security/pam_pwdb.so
+auth include system-auth
+account required pam_nologin.so
+account include system-auth
+password include system-auth
+session include system-auth
+session required pam_loginuid.so
+session optional pam_selinux.so
+session optional pam_console.so
Can you point out which config lines of the pam.d files need to be changed for
the interim? It might be useful for a simple configuration issue to simply name
the lines which are causing this.
Removing embargo, update was pushed FEDORA-2006-942
I've just reproduced this on a FC6 box with kdebase-3.5.5-0.1.fc6.
oh, it seems the bug is still FC6/RHEL5-Beta. It's now fixed in RHEL5/FC6 CVS.
New package will be built for RHEL5/FC6-update today. Bill, thanks for