Whitespaces in login name cause authentication problems
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Light Display Manager |
Invalid
|
Medium
|
Unassigned | ||
libpam-ldap (Ubuntu) |
Triaged
|
Medium
|
Unassigned | ||
lightdm (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
unity-greeter (Ubuntu) |
Invalid
|
Medium
|
Unassigned |
Bug Description
This is an Ubuntu 12.04.2 LTS deployment in an university lab environment. The university is in a transition setup, where student ids are provided both through an Active Directory, as well as LDAP.
So identification goes through both layers, first krb5 and then ldap. However, a home directory gets mounted via krb5.
Behavior: if user types a whitespace (or more) at the beginning or the end of the username, lightdm takes that string literally and runs it through authentication. The confusion here was that while krb5 refuses to authenticate the string (which doesn't exist as a user), ldap strips the whitespaces and it happily authenticates the userid. The user gets in, but they don't have a home mounted.
Is there any reason why leading whitespaces and trailing whitespaces are not being stripped out of the usernames? That would be of great help to our users here. The white space is just the natural way of waking up a dormant machine, so users do it frequently. It is also difficult to educate a large crowd about this issue, especially with the double authentication that behaves differently.
Thank you.
Changed in lightdm: | |
status: | New → Triaged |
importance: | Undecided → Medium |
This one turns out to be more complex than it looks. Unfortunately due to the way PAM works neither LightDM or the greeter know for sure the context of the prompts that PAM sends. So they don't know they're being asked for a username or something else in which whitespace might be significant. It seems unlikely but since we can never know what PAM modules exist we can't just strip whitespace from PAM responses.
Trying to log in from a text terminal confirms that a simple login will fail with whitespace. Code checking pam_unix, pam_ldap and pam_krb5 doesn't appear to show them making any attempt to strip whitespace. I'm assuming then the whitespace stripping is being done server side on your LDAP server?
From a user experience it seems correct that whitespace should be ignored and the only thing that can do this reliably is the PAM modules which know the context of the username response from LightDM/Unity Greeter. So I'll reassign this bug to libpam-ldap as that seems to be the module that the problem might be in.