Tom: knows his password and has the USB device
John: does not know Tom's password or have the USB device
Expected:
To login as Tom, an user must know Tom's password or have the USB device either.
Actual:
== Tom logged out with the USB device plugged ==
[+0.00s] DEBUG: Logging to /var/log/lightdm/lightdm.log
[+0.00s] DEBUG: Starting Light Display Manager 1.2.3, UID=0 PID=7727
<snip>
[+0.85s] DEBUG: Activating VT 7
[+1.64s] DEBUG: Greeter start authentication for tom
[+1.64s] DEBUG: Started session 7854 with service 'lightdm', username 'tom'
[+1.87s] DEBUG: Session 7854 authentication complete with return value 0: Success
[+1.87s] DEBUG: Authenticate result for user tom: Success
[+1.91s] DEBUG: User tom authorized
== Tom left from the PC with the unplugged USB device ==
== After a few minutes, John came at the PC then press Enter ==
[+107.87s] DEBUG: Greeter requests session ubuntu
[+107.87s] DEBUG: Using session ubuntu
[+107.87s] DEBUG: Stopping greeter
<snip>
[+108.54s] DEBUG: Starting session ubuntu as user tom
== John can login as Tom without typing any password or having any USB device ==
That is undesired behavior. lightdm does not timeout authentication or check authenticate result again at real login.
"auth sufficient" case
/etc/pam. d/common- auth:
auth sufficient pam_usb.so
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
Tom: knows his password and has the USB device
John: does not know Tom's password or have the USB device
Expected:
To login as Tom, an user must know Tom's password or have the USB device either.
Actual:
== Tom logged out with the USB device plugged == lightdm/ lightdm. log
[+0.00s] DEBUG: Logging to /var/log/
[+0.00s] DEBUG: Starting Light Display Manager 1.2.3, UID=0 PID=7727
<snip>
[+0.85s] DEBUG: Activating VT 7
[+1.64s] DEBUG: Greeter start authentication for tom
[+1.64s] DEBUG: Started session 7854 with service 'lightdm', username 'tom'
[+1.87s] DEBUG: Session 7854 authentication complete with return value 0: Success
[+1.87s] DEBUG: Authenticate result for user tom: Success
[+1.91s] DEBUG: User tom authorized
== Tom left from the PC with the unplugged USB device ==
== After a few minutes, John came at the PC then press Enter ==
[+107.87s] DEBUG: Greeter requests session ubuntu
[+107.87s] DEBUG: Using session ubuntu
[+107.87s] DEBUG: Stopping greeter
<snip>
[+108.54s] DEBUG: Starting session ubuntu as user tom
== John can login as Tom without typing any password or having any USB device ==
That is undesired behavior. lightdm does not timeout authentication or check authenticate result again at real login.