Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 197748 - GDM lets people know if it's a bad password or a bad username when authenticating
Summary: GDM lets people know if it's a bad password or a bad username when authentica...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: rawhide
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
URL:
Whiteboard:
: 201787 (view as bug list)
Depends On:
Blocks: FC6Target
TreeView+ depends on / blocked
 
Reported: 2006-07-05 22:27 UTC by Stewart Adam
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: pam-0.99.5.0-7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-08-10 13:48:57 UTC


Attachments (Terms of Use)
Here's /etc/pam.d/system-auth (deleted)
2006-07-25 13:09 UTC, Stewart Adam
no flags Details
return "user unknown" error instead of "service error" when the user is unknown. (deleted)
2006-08-04 18:57 UTC, Ray Strode [halfline]
no flags Details | Diff

Description Stewart Adam 2006-07-05 22:27:26 UTC
Description of problem:
When authenticating with GDM, I've noticed that one can tell if a it's a bad
user or a bad password from the combo of bad username/password, giving hackers
an edge:
- If it's a good username with a bad password, PAM returns with the 'incorrect
username or password. Please try again' message.
- If it's a bad username (eg, the user isn't added on the system) a popup dialog
comes up saying 'authentication failure'

Version-Release number of selected component (if applicable):
gdm 2.14.x
gdm 2.15.x

How reproducible:
Always

Steps to Reproduce:
1. Start GDM
2. Login with a good username, bad password
3. Try again with a bas username, and the password doesn't matter as the user
isn't on the system anyways...
4. Compare the results of step (2) and (3)
  
Actual results:
Either a popup dialog or text message is returned, and based on this result a
hacker can possible find out if a user exists on the system.

Expected results:
GDM shows consistent failure results. Could be fixed easily by implementing this
other bug report:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178856
Simply a shake as it does in Mac OS X would not let the hackers or anyone else
know if they have a bad username or a bad password. It's not too big an issue in
terms of worrying about hackers unless you have VNC or some other GUI remote
administration server running, but nevertheless it's still a big security issue.

Additional info:
Could this be a PAM bug? I recall this happening a while back with a SSH
auto-blocker and it was due to PAM.

Comment 1 Stewart Adam 2006-07-24 15:30:37 UTC
Any news on this issue?
Stewart

Comment 2 Ray Strode [halfline] 2006-07-24 22:35:37 UTC
When you enter an invalid username does it fail immediately or ask for a password?

Comment 3 Stewart Adam 2006-07-25 00:04:33 UTC
No, it accepts the username and password no matter what, but it's the result
that changes:
(valid user, bad password) = dialog resets and white text appears under 'Enter
Username' stating that you entered bad credentials

(invalid user, any password) = a popup dialog comes up with a red X and it says
'Authentication Error'.

Comment 4 Ray Strode [halfline] 2006-07-25 04:39:23 UTC
Can you attach you /etc/pam.d/system-auth file?

Comment 5 Stewart Adam 2006-07-25 13:09:00 UTC
Created attachment 132975 [details]
Here's /etc/pam.d/system-auth

Comment 6 Ray Strode [halfline] 2006-07-25 17:35:10 UTC
does it say "Authentication Error" or "Authentication Failed" ?

Comment 7 Stewart Adam 2006-07-25 19:24:53 UTC
Authentication Failed

Comment 8 Stewart Adam 2006-08-04 14:31:13 UTC
I've changed the version to 'devel' as it's still happening in the development
versions GDM. Do you think this issue will be resolved for FC6?

Comment 9 Ray Strode [halfline] 2006-08-04 15:10:18 UTC
Yes, we should fix this before FC6 is released.

Comment 10 Ray Strode [halfline] 2006-08-04 18:53:43 UTC
So this turns out to be a bug in the pam_succeed_if PAM module.

Comment 11 Ray Strode [halfline] 2006-08-04 18:57:11 UTC
Created attachment 133654 [details]
return "user unknown" error instead of "service error" when the user is unknown.

GDM currently shows the desired error message when the error code is	       
 PAM_AUTH_ERR or PAM_USER_UNKNOWN, and shows the other error message when there
is a problem with the pam configuration.

the pam_succeed_if.so module is returning the wrong error code.  The above
patch should fix things up.

Comment 12 Ray Strode [halfline] 2006-08-04 18:59:43 UTC
reassigning to PAM maintainer

Comment 13 Ray Strode [halfline] 2006-08-09 02:05:55 UTC
*** Bug 201787 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.