It causes unpleasant flicker on the gdm login screen, and you can't read it anyway because it is gone in a split second. Here is the conversation I had with Ray about it: <mclasen> halfline: while I see you talking about 'chatty pam' in another channel... <mclasen> I notice that when I login, I see a 'Last login: some date' message appear in the shell login screen for a split second <mclasen> its more noticable when things are very slow after you've dropped caches <mclasen> but I can also see it in normal login, if I look closely <halfline> yea that got added recently <halfline> look at /etc/pam.d/postlogin <halfline> we should probably get it removed <mclasen> yes, I find that quite unacceptable <mclasen> I don't care if we show that for gettys <mclasen> but not in gdm, where is only flickering in for a split second while we are animating <halfline> mclasen: if you prod t8m, he'll probably take it out <halfline> or move it to /etc/pam.d/login and /etc/pam.d/ssh
I'd really prefer if gdm could be fixed to properly display the messages from PAM if there are any. But for F18 I can understand that this is too late now. So I (only for F18) will skip pam_lastlog in the configuration. Note that it is very frequent requirement to be able to display information about last login and previous bad login attempts.
This is not the right way to display that kind of message. It is not part of the login process, but informs you about the last login. If anything, it should be displayed as a notification after login - but only if there is really reason to be suspicious.
Actually, there are security guidelines that need to be followed. Between authenticating and being free, people need to 1) see a consent to being monitored screen and agree to it, disagreeing logs them back out. 2) See the number of failed login attempts since the last good one as well as the date and time of the last good login. This has to stay on screen until dismissed. How these are done, I don't really care too much. But they are real requirements for every login, not just suspicious ones.
Of course this can default to not used for home users...
(In reply to comment #2) > It is not part of the login process, but informs you about the last login. > If anything, it should be displayed as a notification after login - but only > if there is really reason to be suspicious. As you can read above from Steve - there are requirements that the message must be displayed until explicitly dismissed by the user. Of course gdm could/should collect the post-auth message(s) and forward them to the gnome session for display. But there is also the requirement to be able to display messages pre-auth that have to be explicitly ack-ed by user which has to be done by gdm anyway.
Those requirements have very little relevance for Fedora, which is almost entirely in the domain of home users. And I don't see how the current implementation meets Steve's requirements at all, considering the message only flickers through for a split second, and there is no way for the user to consent to anything. Please, lets just remove this and discuss a proper implementation.
(In reply to comment #3) > Actually, there are security guidelines that need to be followed. Between > authenticating and being free, people need to 1) see a consent to being > monitored screen and agree to it, disagreeing logs them back out. 2) See the > number of failed login attempts since the last good one as well as the date > and time of the last good login. This has to stay on screen until dismissed. I'm curious what security requirements these are - these don't seem to be part of any planned feature list, they were not part of prior releases, and we need these sort of things run through a proper process so we can coeherently account for them.
pam-1.1.6-3.fc18.1,authconfig-6.2.5-1.fc18.2 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/pam-1.1.6-3.fc18.1,authconfig-6.2.5-1.fc18.2
Package pam-1.1.6-3.fc18.1, authconfig-6.2.5-1.fc18.2: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing pam-1.1.6-3.fc18.1 authconfig-6.2.5-1.fc18.2' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19874/pam-1.1.6-3.fc18.1,authconfig-6.2.5-1.fc18.2 then log in and leave karma (feedback).
pam-1.1.6-3.fc18.1, authconfig-6.2.5-1.fc18.2 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Bill Nottingham from comment #7) > (In reply to comment #3) > > Actually, there are security guidelines that need to be followed. Between > > authenticating and being free, people need to 1) see a consent to being > > monitored screen and agree to it, disagreeing logs them back out. 2) See the > > number of failed login attempts since the last good one as well as the date > > and time of the last good login. This has to stay on screen until dismissed. > > I'm curious what security requirements these are - these don't seem to be > part of any planned feature list, they were not part of prior releases, and > we need these sort of things run through a proper process so we can > coeherently account for them. I'd like to reiterate this request. I'd like to design this to make sure that we fulfill these requirements (upstream bug is https://bugzilla.gnome.org/show_bug.cgi?id=708846 ), and it would be really helpful to have some more details.
The first requirement is that during login, users of some systems may have to consent to being monitored. Meaning they have to click on OK and also have a choice to disagree. If they disagree, they must be logged back out. If they agree, they proceed to establish the session. The text they agree to must be configurable as different organizations have differing legal requirements and they can change over time. This is required for example by DISA STIG GEN000402. Also, the NIST USGCB security guidelines also require it. This should also probably become an audit event so there is a "legal" trail. Second, after login, the number of failed attempts since the last good login and the time/date of the last login must be displayed. This can be found in NIST SP800-53, AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION: The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.