lightdm allows login with unplugged device needed for authentication

Bug #1159457 reported by Nobuto Murata
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Even if I unplugged device needed for authentication, lightdm still allows login without the device.

How to reproduce:
 1. setup pam_usb.so or pam_blue.so with "auth sufficient" on /etc/pam.d/common-auth
    pam_usb.so:
      https://github.com/aluzzardi/pam_usb/wiki/Getting-Started
    pam_blue.so:
      http://tjworld.net/wiki/Linux/Ubuntu/BluetoothLoginAndLocking
 2. login to the user with the device
 3. logout
 4. unplug the USB device or turning off the bluetooth device
 5. press Enter to login

Expected result:
 login rejected or fallback to password login

Actual result:
 login allowed, without the device or password

WORKAROUND:
 make sure to press Esc on lightdm *after* unplugging the device

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: lightdm 1.2.3-0ubuntu1
ProcVersionSignature: Ubuntu 3.5.0-26.42~precise1-generic 3.5.7.6
Uname: Linux 3.5.0-26-generic x86_64
ApportVersion: 2.0.1-0ubuntu17.1
Architecture: amd64
CheckboxSubmission: 65fa7c094c0293dd4e9a81057a36a8fe
CheckboxSystem: 0657dd966bc74d2b22e7c94051aa55af
Date: Mon Mar 25 01:06:44 2013
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 12.04.2 LTS "Precise Pangolin" - Release amd64 (20130213)
MarkForUpload: True
ProcEnviron:
 TERM=xterm
 SHELL=/bin/bash
 PATH=(custom, no user)
 LANG=ja_JP.UTF-8
SourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Nobuto Murata (nobuto) wrote :
information type: Private Security → Public Security
Revision history for this message
Nobuto Murata (nobuto) wrote :

== logout==
Mar 25 00:58:29 test-machine lightdm[5833]: pam_unix(lightdm:session): session closed for user usb-auth
== start ligthdm ==
Mar 25 00:58:31 test-machine lightdm: pam_unix(lightdm:session): session opened for user lightdm by (uid=0)
Mar 25 00:58:31 test-machine lightdm: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :1
Mar 25 00:58:32 test-machine lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "usb-auth"
Mar 25 00:58:32 test-machine pam_usb[7042]: pam_usb v0.5.0
Mar 25 00:58:32 test-machine pam_usb[7042]: Authentication request for user "usb-auth" (lightdm)
Mar 25 00:58:32 test-machine pam_usb[7042]: Device "MyKey2" is connected (good).
Mar 25 00:58:32 test-machine pam_usb[7042]: Performing one time pad verification...
Mar 25 00:58:32 test-machine pam_usb[7042]: Access granted.
Mar 25 00:58:32 test-machine dbus[1056]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.213" (uid=104 pid=7055 comm="/usr/lib/indicator-datetime/indicator-datetime-ser") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.17" (uid=0 pid=1380 comm="/usr/sbin/console-kit-daemon --no-daemon ")
== unplug the USB device ==
== login ==
Mar 25 00:58:39 test-machine lightdm: pam_unix(lightdm:session): session closed for user lightdm
Mar 25 00:58:39 test-machine lightdm[7042]: pam_unix(lightdm:session): session opened for user usb-auth by (uid=0)
Mar 25 00:58:39 test-machine lightdm[7042]: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :1
== login success without the USB device ==

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

"auth sufficient" means that device isn't required for authentication.

Have you tried "auth required"?

Changed in lightdm (Ubuntu):
status: New → Incomplete
Revision history for this message
Nobuto Murata (nobuto) wrote :

Hi Marc,

in the situation described in comment #2, I can login with *un*plugged device and *no* password like auto-login. I will try "auth required" anyway.

Revision history for this message
Nobuto Murata (nobuto) wrote :

"auth sufficient" case

/etc/pam.d/common-auth:
auth sufficient pam_usb.so
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so

Tom: knows his password and has the USB device
John: does not know Tom's password or have the USB device

Expected:
To login as Tom, an user must know Tom's password or have the USB device either.

Actual:

== Tom logged out with the USB device plugged ==
[+0.00s] DEBUG: Logging to /var/log/lightdm/lightdm.log
[+0.00s] DEBUG: Starting Light Display Manager 1.2.3, UID=0 PID=7727
<snip>
[+0.85s] DEBUG: Activating VT 7
[+1.64s] DEBUG: Greeter start authentication for tom
[+1.64s] DEBUG: Started session 7854 with service 'lightdm', username 'tom'
[+1.87s] DEBUG: Session 7854 authentication complete with return value 0: Success
[+1.87s] DEBUG: Authenticate result for user tom: Success
[+1.91s] DEBUG: User tom authorized
== Tom left from the PC with the unplugged USB device ==
== After a few minutes, John came at the PC then press Enter ==
[+107.87s] DEBUG: Greeter requests session ubuntu
[+107.87s] DEBUG: Using session ubuntu
[+107.87s] DEBUG: Stopping greeter
<snip>
[+108.54s] DEBUG: Starting session ubuntu as user tom
== John can login as Tom without typing any password or having any USB device ==

That is undesired behavior. lightdm does not timeout authentication or check authenticate result again at real login.

Revision history for this message
Nobuto Murata (nobuto) wrote :

"auth required" case

/etc/pam.d/common-auth:
auth required pam_usb.so
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so

Tom: knows his password and has the USB device
John: knows Tom's password somehow but does not have the USB device

Expected:
To login as Tom, an user must know Tom's password and have the USB device both.

Actual:

== Tom logged out with the USB device plugged ==
[+0.00s] DEBUG: Logging to /var/log/lightdm/lightdm.log
[+0.00s] DEBUG: Starting Light Display Manager 1.2.3, UID=0 PID=12837
<snip>
[+0.65s] DEBUG: Activating VT 7
[+1.48s] DEBUG: Greeter start authentication for tom
[+1.48s] DEBUG: Started session 12960 with service 'lightdm', username 'tom'
[+1.65s] DEBUG: Session 12960 got 1 message(s) from PAM
[+1.65s] DEBUG: Prompt greeter with 1 message(s)
== Tom left from the PC with the unplugged USB device ==
== After a few minutes, John came at the PC then input Tom's password ==
[+22.02s] DEBUG: Continue authentication
[+22.06s] DEBUG: Session 12960 authentication complete with return value 0: Success
[+22.06s] DEBUG: Authenticate result for user tom: Success
[+22.08s] DEBUG: User tom authorized
[+22.10s] DEBUG: Greeter requests session ubuntu
[+22.10s] DEBUG: Using session ubuntu
[+22.10s] DEBUG: Stopping greeter
<snip>
[+22.44s] DEBUG: Starting session ubuntu as user tom
== John can login as Tom without any USB device, just input password ==

That is undesired behavior. lightdm does not timeout authentication or check authenticate result for USB device again at real login.

Putting pam_usb.so after pam_unix.so can prevent the situation though.

Changed in lightdm (Ubuntu):
status: Incomplete → New
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Ah, yes, I see what's happening now. The pam_usb module is granting access without a prompt as soon as lightdm spawns which lightdm caches even when you remove the token.

Changed in lightdm (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

You can work around the behaviour by putting the following in the lightdm.conf file:
greeter-hide-users=true

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.