Ubuntu
libpam-ldap package

Whitespaces in login name cause authentication problems

Bug #1195039 reported by Dana Brand
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Light Display Manager
Invalid
Medium
Unassigned
libpam-ldap (Ubuntu)
Triaged
Medium
Unassigned
lightdm (Ubuntu)
Invalid
Medium
Unassigned
unity-greeter (Ubuntu)
Invalid
Medium
Unassigned

Bug Description

This is an Ubuntu 12.04.2 LTS deployment in an university lab environment. The university is in a transition setup, where student ids are provided both through an Active Directory, as well as LDAP.
So identification goes through both layers, first krb5 and then ldap. However, a home directory gets mounted via krb5.

Behavior: if user types a whitespace (or more) at the beginning or the end of the username, lightdm takes that string literally and runs it through authentication. The confusion here was that while krb5 refuses to authenticate the string (which doesn't exist as a user), ldap strips the whitespaces and it happily authenticates the userid. The user gets in, but they don't have a home mounted.

Is there any reason why leading whitespaces and trailing whitespaces are not being stripped out of the usernames? That would be of great help to our users here. The white space is just the natural way of waking up a dormant machine, so users do it frequently. It is also difficult to educate a large crowd about this issue, especially with the double authentication that behaves differently.

Thank you.

Robert Ancell (robert-ancell)
Changed in lightdm:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Robert Ancell (robert-ancell) wrote :

This one turns out to be more complex than it looks. Unfortunately due to the way PAM works neither LightDM or the greeter know for sure the context of the prompts that PAM sends. So they don't know they're being asked for a username or something else in which whitespace might be significant. It seems unlikely but since we can never know what PAM modules exist we can't just strip whitespace from PAM responses.

Trying to log in from a text terminal confirms that a simple login will fail with whitespace. Code checking pam_unix, pam_ldap and pam_krb5 doesn't appear to show them making any attempt to strip whitespace. I'm assuming then the whitespace stripping is being done server side on your LDAP server?

From a user experience it seems correct that whitespace should be ignored and the only thing that can do this reliably is the PAM modules which know the context of the username response from LightDM/Unity Greeter. So I'll reassign this bug to libpam-ldap as that seems to be the module that the problem might be in.

Changed in libpam-ldap (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in lightdm (Ubuntu):
status: New → Invalid
importance: Undecided → Medium
Changed in lightdm:
status: Triaged → Invalid
Revision history for this message
Robert Ancell (robert-ancell) wrote :

Things worth checking:

a) If the LDAP server indicates in some way the correct unix username for that account then make sure pam_ldap is correctly setting PAM_USER it to this value (so other modules will use it).

b) If it is expected behaviour that the LDAP server ignores whitespace then libpam-ldap should pre-strip the whitespace itself and update the PAM_USER value.

Changed in unity-greeter (Ubuntu):
status: New → Invalid
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.