2030043 – GNOME is not showing "There were * failed login attempts since the last successful login".

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2030043 - GNOME is not showing "There were * failed login attempts since the last successful login".

Summary: GNOME is not showing "There were * failed login attempts since the last succe...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	gdm
Sub Component:
Version:	8.4
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Ray Strode [halfline]
QA Contact:	Michael Boisvert
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2073275
TreeView+	depends on / blocked

Reported:	2021-12-07 20:48 UTC by Chino Soliard
Modified:	2023-05-16 09:25 UTC (History)
CC List:	15 users (show)
Fixed In Version:	gdm-40.0-25.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2073275 (view as bug list)
Environment:
Last Closed:	2023-05-16 08:27:13 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)
patch to fix btmp accounting (18.03 KB, patch) 2022-10-19 19:19 UTC, Ray Strode [halfline]	no flags	Details \| Diff
View All

Links
System	ID	Priority	Status	Summary	Last Updated
GNOME Gitlab	GNOME gdm merge_requests 189	None	opened	manager: Fix btmp record accounting	2022-10-19 19:22:25 UTC
Red Hat Issue Tracker	RHELPLAN-105046	None	None	None	2021-12-07 20:53:12 UTC
Red Hat Product Errata	RHBA-2023:2779	None	None	None	2023-05-16 08:27:21 UTC

Description Chino Soliard 2021-12-07 20:48:40 UTC

Description of problem:

GNOME is not showing the message "There were * failed login attempts after the last successful login".
TTY is showing the message. This is happening just in RHEL8, RHEL7 shows the message.

I note that, by default, RHEL8 does not show those mesage, so modifying the postlogin PAM stack to
look like the RHEL7 one, but it doesn't works.
___________________________________________________________________________________________

RHEL7

    cat /etc/redhat-release ;cat /etc/pam.d/postlogin
    Red Hat Enterprise Linux Server release 7.9 (Maipo)
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    
    
    session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
    session     [default=1]   pam_lastlog.so nowtmp showfailed
    session     optional      pam_lastlog.so silent noupdate showfailed

RHEL8

    cat /etc/redhat-release ;cat /etc/pam.d/postlogin 
    Red Hat Enterprise Linux release 8.4 (Ootpa)
    # Generated by authselect on Tue Dec  7 14:14:26 2021
    # Do not modify this file manually.
    
    #session     optional                   pam_umask.so silent
    session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
    #session     [default=1]                pam_lastlog.so nowtmp silent
    session     [default=1]                pam_lastlog.so nowtmp showfailed
    session     optional                   pam_lastlog.so silent noupdate showfailed
__________________________________________________________________________________________________-
Version-Release number of selected component (if applicable):

    # yum list installed gnome*
    Updating Subscription Management repositories.
    Unable to read consumer identity

    This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

    Installed Packages
    gnome-autoar.x86_64                                     0.2.3-1.el8          @AppStream
    gnome-bluetooth.x86_64                                  1:3.34.3-1.el8       @AppStream
    gnome-bluetooth-libs.x86_64                             1:3.34.3-1.el8       @AppStream
    gnome-boxes.x86_64                                      3.36.5-8.el8         @AppStream
    gnome-calculator.x86_64                                 3.28.2-1.el8         @AppStream
    gnome-characters.x86_64                                 3.28.2-1.el8         @AppStream
    gnome-classic-session.noarch                            3.32.1-14.el8        @AppStream
    gnome-color-manager.x86_64                              3.28.0-3.el8         @AppStream
    gnome-control-center.x86_64                             3.28.2-27.el8        @AppStream
    gnome-control-center-filesystem.noarch                  3.28.2-27.el8        @AppStream
    gnome-desktop3.x86_64                                   3.32.2-1.el8         @AppStream
    gnome-disk-utility.x86_64                               3.28.3-2.el8         @AppStream
    gnome-font-viewer.x86_64                                3.28.0-1.el8         @AppStream
    gnome-getting-started-docs.noarch                       3.28.2-1.el8         @AppStream
    gnome-initial-setup.x86_64                              3.28.0-9.el8         @AppStream
    gnome-keyring.x86_64                                    3.28.2-1.el8         @AppStream
    gnome-keyring-pam.x86_64                                3.28.2-1.el8         @AppStream
    gnome-logs.x86_64                                       3.28.5-3.el8         @AppStream
    gnome-menus.x86_64                                      3.13.3-11.el8        @AppStream
    gnome-online-accounts.x86_64                            3.28.2-2.el8         @AppStream
    gnome-remote-desktop.x86_64                             0.1.8-3.el8          @AppStream
    gnome-screenshot.x86_64                                 3.26.0-3.el8         @AppStream
    gnome-session.x86_64                                    3.28.1-10.el8        @AppStream
    gnome-session-wayland-session.x86_64                    3.28.1-10.el8        @AppStream
    gnome-session-xsession.x86_64                           3.28.1-10.el8        @AppStream
    gnome-settings-daemon.x86_64                            3.32.0-14.el8        @AppStream
    gnome-shell.x86_64                                      3.32.2-30.el8        @AppStream
    gnome-shell-extension-apps-menu.noarch                  3.32.1-14.el8        @AppStream
    gnome-shell-extension-common.noarch                     3.32.1-14.el8        @AppStream
    gnome-shell-extension-desktop-icons.noarch              3.32.1-14.el8        @AppStream
    gnome-shell-extension-horizontal-workspaces.noarch      3.32.1-14.el8        @AppStream
    gnome-shell-extension-launch-new-instance.noarch        3.32.1-14.el8        @AppStream
    gnome-shell-extension-places-menu.noarch                3.32.1-14.el8        @AppStream
    gnome-shell-extension-window-list.noarch                3.32.1-14.el8        @AppStream
    gnome-software.x86_64                                   3.36.1-5.el8         @AppStream
    gnome-system-monitor.x86_64                             3.28.2-1.el8         @AppStream
    gnome-terminal.x86_64                                   3.28.3-3.el8         @AppStream
    gnome-terminal-nautilus.x86_64                          3.28.3-3.el8         @AppStream
    gnome-themes-standard.x86_64                            3.22.3-4.el8         @AppStream
    gnome-user-docs.noarch                                  3.28.2-1.el8         @AppStream
    gnome-video-effects.noarch                              0.4.3-3.el8          @AppStream
__________________________________________________________________________________________________-
How reproducible:

It is happening all time. I created fresh installation of both RHEL7 and RHEL8 to isolate
the issue to RHEL8. As said previously, RHEL8 does not show any kind of message with the
default postlogin PAM stack. Modifying postlogin PAM stack to look like RHEL7 only shows
the last successful login date.
__________________________________________________________________________________________________-
Steps to Reproduce (from fresh RHEL8):
1. Modify postlogin to look like the following (similar to RHEL7):

    #session     optional                   pam_umask.so silent
    session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
    #session     [default=1]                pam_lastlog.so nowtmp silent
    session     [default=1]                pam_lastlog.so nowtmp showfailed
    session     optional                   pam_lastlog.so silent noupdate showfailed

2. Simulate failed logins.

3. Login using the correct credentials.
__________________________________________________________________________________________________-
Actual results:

Not showing "There were * failed login attempts after the last successful login"
Showing last successful login.

Expected results:

Show both "There were * failed login attempts after the last successful login"
and last successful login.
__________________________________________________________________________________________________-
Additional info:

I recreated the case with RHEL8.4. The issue was discovered using RHEL8.3

Comment 1 Iker Pedrosa 2021-12-15 16:09:12 UTC

(In reply to Adrian Soliard from comment #0)
> I note that, by default, RHEL8 does not show those mesage, so modifying the
> postlogin PAM stack to
> look like the RHEL7 one, but it doesn't works.
> _____________________________________________________________________________
> ______________
> 
> RHEL7
> 
>     cat /etc/redhat-release ;cat /etc/pam.d/postlogin
>     Red Hat Enterprise Linux Server release 7.9 (Maipo)
>     #%PAM-1.0
>     # This file is auto-generated.
>     # User changes will be destroyed the next time authconfig is run.
>     
>     
>     session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm*
> service !~ su* quiet
>     session     [default=1]   pam_lastlog.so nowtmp showfailed
>     session     optional      pam_lastlog.so silent noupdate showfailed
> 
> RHEL8
> 
>     cat /etc/redhat-release ;cat /etc/pam.d/postlogin 
>     Red Hat Enterprise Linux release 8.4 (Ootpa)
>     # Generated by authselect on Tue Dec  7 14:14:26 2021
>     # Do not modify this file manually.
>     
>     #session     optional                   pam_umask.so silent
>     session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm*
> service !~ su* quiet
>     #session     [default=1]                pam_lastlog.so nowtmp silent
>     session     [default=1]                pam_lastlog.so nowtmp showfailed
>     session     optional                   pam_lastlog.so silent noupdate
> showfailed

Your assumption to change the pam stack is correct. I also changed it and in the last successful authentication after several failed attempts, I was able to see the following message on the screen: "Last login: Wed Dec 15 16:25:10 CET 2021 on tty2". If you follow the same steps with ssh, that is to say, several failed authentication attempts and then the last one is successful:
$ ssh testuser@localhost
Last failed login: Wed Dec 15 16:19:34 CET 2021 from ::1 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Wed Dec 15 16:19:14 2021 from ::1

The second message is the expected one. Curiously, the last message from ssh is the one that appears on the gnome login screen. So, I wonder, is that screen able to show several messages at the same time? Or does it only show the last one? Since it seems to work with other tools I think that the problem lies on the desktop environment, so I'm moving the bugzilla to that team. If you have any question don't hesitate to contact me.

> Additional info:
> 
> I recreated the case with RHEL8.4. The issue was discovered using RHEL8.3

I was able to reproduce it with RHEL8.2.

Comment 2 mkielian@redhat.com 2022-01-11 21:18:45 UTC

Testing Procedure: [ Test failed Text Console Login display in subsequent Gnome Login ]

On a freshly instanced RHEL 7/8 system that has a GUI ( Gnome Installed and active ) : 

1. Attempt Login via text mode to normal user ( shadowman ) using [ Ctrl + Alt + F2 ] for text console and use deliberately incorrect password.

2. Once it fails, press [ Ctrl + Alt + F1 ] to bring up the GUI and login as same user using correct password into GUI: 

3. System SHOULD show the failed login in the GUI Screen, It does in RHEL 7, but not in RHEL 8.



Test Results: 

RHEL 7.9:   This is the baseline Comparison

[ Messages Displayed: ]

Last Login: ( Date + Time )
Last Failed Failed - ( Date + Time = Terminal ( tty2) 
There has been 1 Failed login attempt since last login



RHEL 8.0 
[ No Notices were displayed ]

RHEL 8.1
[ No Notices were displayed ]

RHEL 8.2
[ No Notices were displayed ]

RHEL 8.3
[ No Notices were displayed ]

RHEL 8.4
[ No Notices were displayed ]

RHEL 8.5
[ No Notices were displayed ]


Note: I have not tested the ssh failed logins and Gnome failed logins yet, but plan on doing so.

Comment 3 mkielian@redhat.com 2022-01-13 19:49:29 UTC

I have completed another set of tests, this time using SSH logins that have failed: 



Testing Procedure: [ Test failed SSH Login display in subsequent Gnome Login ]

On a freshly instanced RHEL 7/8 system that has a Gnome Installed and active: 

1. Attempt Login via text mode to normal user ( shadowman ) using inbound SSH and use deliberately incorrect password.

2. Once it fails, login as same user using correct password into GUI: 

3. System SHOULD show the failed login in the GUI Screen, It does in RHEL 7, but not in RHEL 8.



Test Results: 

RHEL 7.9:   This is the baseline Comparison

[ Messages Displayed: ]

Last Login: ( Date + Time )
Last Failed Failed - ( Date + Time = Terminal ( ssh ) 
There has been 1 Failed login attempt since last login

Testing Note: This Time I am only Testing RHEL 8.0 , 8.4 , and 8.5 as previous test indicates it goes back to RHEL 8.0 and most current RHEL is 8.4/8.5

RHEL 8.0 
[ No Notices were displayed ]

RHEL 8.4
[ No Notices were displayed ]

RHEL 8.5
[ No Notices were displayed ]

Comment 4 Ray Strode [halfline] 2022-01-13 20:28:45 UTC

So it seems to show the message on the graphical login screen, if a failed login happens at a virtual terminal.

This suggests to me that perhaps gdm is failing to write a btmp record for failed log ins.

A quick peek of the code:

#if defined(HAVE_UPDWTMPX)•
        updwtmpx (GDM_BAD_SESSION_RECORDS_FILE, &session_record);•
#elif defined(HAVE_UPDWTMP)•
        updwtmp(GDM_BAD_SESSION_RECORDS_FILE, &session_record);•
#endif•

So perhaps those defines aren't getting set since we switched to the meson build system? just a guess, will need to investigate further.

Comment 5 Ray Strode [halfline] 2022-01-13 20:49:47 UTC

re comment 3, what does your /etc/pam.d/postlogin file look like ? is it the same as the one mentioned in comment 0?

Comment 6 Joe Wright 2022-01-17 15:26:55 UTC

[root@rhel8test ~]# ll /etc/pam.d/postlogin
lrwxrwxrwx. 1 root root 25 Jan 10 08:17 /etc/pam.d/postlogin -> /etc/authselect/postlogin

[root@rhel8test ~]# ll /etc/authselect/postlogin
-rw-r--r--. 1 root root 397 Jan 10 08:17 /etc/authselect/postlogin

[root@rhel8test ~]# cat /etc/authselect/postlogin
# Generated by authselect on Mon Jan 10 08:17:01 2022
# Do not modify this file manually.

session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed

Comment 7 dahchanson 2022-05-20 15:05:46 UTC

This issue the btmp record as noted in comment 4.  If you fails logins at the terminal or ssh, the failures are correctly showed in GDM during login.

Comment 8 Ray Strode [halfline] 2022-05-23 20:32:49 UTC

So from poking around a little, this doesn't seem to be a build system problem after all. It's a regression caused by switching to user sessions on a different tty than the login screen.

The problem is, I believe, that the login screen's session isn't ever assigned it's display name. The display name is needed to write a btmp record.

gdm_manager_handle_register_display only looks for user sessions. it needs to look for login screen sessions as well I think.

Comment 9 Mark Scott 2022-06-23 19:28:27 UTC

This is a regression of the NIST 800-53 AC-9(1) security control:
  The information system notifies the user, upon successful logon/access, of the number of 
  unsuccessful logon/access attempts since the last successful logon/access.

This needs to be fixed for government customers needing to adhere to NIST & DISA STIG standards.

Comment 15 Michael Boisvert 2022-08-04 14:30:51 UTC

I can easily reproduce the issue on 8.7 (thanks for the well written bug report). Adding necessary ack, etc.

Comment 18 Ray Strode [halfline] 2022-10-19 19:19:32 UTC

Created attachment 1919147 [details]
patch to fix btmp accounting

Comment 25 errata-xmlrpc 2023-05-16 08:27:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (gdm bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2779

Note You need to log in before you can comment on or make changes to this bug.