2007-09-04 10:44:18 |
Bogdan Butnaru |
bug |
|
|
added bug |
2007-09-04 10:45:22 |
Bogdan Butnaru |
description |
Binary package hint: libpam-keyring
This is on up-to-date Gutsy:
libpam-keyring doesn't work correctly when set-up together with gdm's autologin feature.
As expected, GDM logins automatically the correct user. However libpam-keyring fails to retrieve the user's password (probably because it wasn't entered) and instead displays a dialog box asking for it, which defeats the purpose of the plugin. Instead, if the password isn't available it should just do nothing (perhaps log a message somewhere) and allow the normal keyring unlocking to work (eg, let Network Manager ask for the password when it needs it).
Also, the dialog where libpam-keyring asks for the password does NOT mask the entered password (eg, with asterisks), making it visible on the screen. That's why I'm marking this as a (minor) security vulnerability.
It's likely that libpam cannot actually retrieve the password on autologins (I assume GDM just "su -"s into the username, so it doesn't actually know the password), in which case this should be attached as a "wishlist" bug for GDM or gnome-keyring. For instance, gnome-keyring might allow itself to be unlocked by the "root" user as an optional feature.
Here's my config:
$ cat /etc/pam.d/gdm-autologin
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth required pam_permit.so
auth optional pam_keyring.so try_first_pass
@include common-account
session required pam_limits.so
session optional pam_keyring.so
@include common-session
@include common-password |
Binary package hint: libpam-keyring
This is on up-to-date Gutsy:
libpam-keyring doesn't work correctly when set-up together with gdm's autologin feature.
As expected, GDM logins automatically the correct user. However libpam-keyring fails to retrieve the user's password (probably because it wasn't entered) and instead displays a dialog box asking for it, which defeats the purpose of the plugin. Instead, if the password isn't available it should just do nothing (perhaps log a message somewhere) and allow the normal keyring unlocking to work (eg, let Network Manager ask for the password when it needs it).
Also, the dialog where libpam-keyring asks for the password does NOT mask the entered password (eg, with asterisks), making it visible on the screen. That's why I'm marking this as a (minor) security vulnerability.
It's likely that libpam cannot actually retrieve the password on autologins (I assume GDM just "su -"s into the username, so it doesn't actually know the password), in which case this should be attached as a "wishlist" bug for GDM or gnome-keyring. For instance, gnome-keyring might allow itself to be unlocked by the "root" user as an optional, lower-security feature.
Here's my config:
$ cat /etc/pam.d/gdm-autologin
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth required pam_permit.so
auth optional pam_keyring.so try_first_pass
@include common-account
session required pam_limits.so
session optional pam_keyring.so
@include common-session
@include common-password |
|
2007-09-04 11:14:01 |
Bogdan Butnaru |
description |
Binary package hint: libpam-keyring
This is on up-to-date Gutsy:
libpam-keyring doesn't work correctly when set-up together with gdm's autologin feature.
As expected, GDM logins automatically the correct user. However libpam-keyring fails to retrieve the user's password (probably because it wasn't entered) and instead displays a dialog box asking for it, which defeats the purpose of the plugin. Instead, if the password isn't available it should just do nothing (perhaps log a message somewhere) and allow the normal keyring unlocking to work (eg, let Network Manager ask for the password when it needs it).
Also, the dialog where libpam-keyring asks for the password does NOT mask the entered password (eg, with asterisks), making it visible on the screen. That's why I'm marking this as a (minor) security vulnerability.
It's likely that libpam cannot actually retrieve the password on autologins (I assume GDM just "su -"s into the username, so it doesn't actually know the password), in which case this should be attached as a "wishlist" bug for GDM or gnome-keyring. For instance, gnome-keyring might allow itself to be unlocked by the "root" user as an optional, lower-security feature.
Here's my config:
$ cat /etc/pam.d/gdm-autologin
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth required pam_permit.so
auth optional pam_keyring.so try_first_pass
@include common-account
session required pam_limits.so
session optional pam_keyring.so
@include common-session
@include common-password |
Binary package hint: libpam-keyring
This is on up-to-date Gutsy:
libpam-keyring doesn't work correctly when set-up together with gdm's autologin feature.
As expected, GDM logins automatically the correct user. However libpam-keyring fails to retrieve the user's password (probably because it wasn't entered) and instead displays a dialog box asking for it, which defeats the purpose of the plugin. Instead, if the password isn't available it should just do nothing (perhaps log a message somewhere) and allow the normal keyring unlocking to work (eg, let Network Manager ask for the password when it needs it). This locks the loading process, which is very annoying.
Also, the dialog where libpam-keyring asks for the password does NOT mask the entered password (eg, with asterisks), making it visible on the screen. That's why I'm marking this as a (minor) security vulnerability.
Note: of course this can be worked-around by simply disabling the plugin in /etc/pam.d/gdm-autologin (and it doesn't put itself there), but it's still buggy behavior.
It's likely that libpam cannot actually retrieve the password on autologins (I assume GDM just "su -"s into the username, so it doesn't actually know the password), in which case this should be attached as a "wishlist" bug for GDM or gnome-keyring. For instance, gnome-keyring might allow itself to be unlocked by the "root" user as an optional, lower-security feature.
Here's my config:
$ cat /etc/pam.d/gdm-autologin
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth required pam_permit.so
auth optional pam_keyring.so try_first_pass
@include common-account
session required pam_limits.so
session optional pam_keyring.so
@include common-session
@include common-password |
|
2007-09-05 16:04:24 |
Laurent Bigonville |
pam-keyring: status |
New |
Incomplete |
|
2007-09-05 16:04:31 |
Laurent Bigonville |
pam-keyring: assignee |
|
bigon |
|
2007-09-20 14:16:40 |
Laurent Bigonville |
pam-keyring: status |
Incomplete |
Won't Fix |
|
2007-10-02 16:20:13 |
Bruce Cowan |
bug |
|
|
assigned to gnome-keyring (Ubuntu) |
2007-10-02 16:50:14 |
Sebastien Bacher |
bug |
|
|
added subscriber Bruce Cowan |
2007-10-02 18:21:47 |
Pedro Villavicencio |
gnome-keyring: importance |
Undecided |
Medium |
|
2007-10-02 18:21:47 |
Pedro Villavicencio |
gnome-keyring: status |
New |
Incomplete |
|
2007-10-02 18:24:22 |
Pedro Villavicencio |
gnome-keyring: status |
Incomplete |
New |
|
2007-10-02 22:43:59 |
Bruce Cowan |
bug |
|
|
added attachment 'gdm-autologin' (/etc/pam.d/gdm-autologin) |
2007-10-03 15:08:53 |
Bruce Cowan |
bug |
|
|
added attachment 'Example.png' (Example) |
2007-11-01 19:05:52 |
Troels Faber |
bug |
|
|
added attachment 'pam-keyring-tool' (pam-keyring-tool) |
2007-11-03 11:49:42 |
laga |
bug |
|
|
added subscriber Mythbuntu |
2007-12-30 01:33:48 |
TomasHnyk |
bug |
|
|
assigned to gnome-keyring |
2007-12-30 10:00:40 |
Bug Watch Updater |
gnome-keyring: status |
Unknown |
New |
|
2008-01-12 10:14:46 |
Bug Watch Updater |
gnome-keyring: status |
New |
Invalid |
|
2008-01-28 16:51:41 |
Sebastien Bacher |
marked as duplicate |
|
181281 |
|
2008-01-29 11:54:48 |
cenora |
bug |
|
|
added attachment 'proset_splash.jpg' (proset_splash.jpg) |
2008-01-29 12:22:51 |
Bruce Cowan |
removed duplicate marker |
181281 |
|
|
2008-02-11 10:19:54 |
Mantas Kriaučiūnas |
bug |
|
|
added subscriber Baltix Members |
2008-02-11 10:21:18 |
Mantas Kriaučiūnas |
bug |
|
|
assigned to gdm (Baltix) |
2008-03-18 03:44:55 |
Omegamormegil |
gdm: status |
New |
Confirmed |
|
2008-07-07 13:51:15 |
Jamie Strandboge |
bug |
|
|
added subscriber Ubuntu Bugs |
2009-02-08 12:50:58 |
Henrik |
bug |
|
|
assigned to network-manager-applet (Ubuntu) |
2009-02-16 22:15:16 |
Alexander Sack |
network-manager-applet: status |
New |
Invalid |
|
2009-02-16 22:15:16 |
Alexander Sack |
network-manager-applet: statusexplanation |
|
i dont see an issue for nm-applet here. please reopen and give a short explanation why nm-applet is the problem here. |
|
2009-02-17 09:11:59 |
Henrik |
network-manager-applet: status |
Invalid |
New |
|
2009-02-17 09:11:59 |
Henrik |
network-manager-applet: statusexplanation |
i dont see an issue for nm-applet here. please reopen and give a short explanation why nm-applet is the problem here. |
|
|
2009-03-10 19:38:07 |
Pedro Villavicencio |
gdm: assignee |
|
canonical-desktop-team |
|
2009-03-10 19:38:07 |
Pedro Villavicencio |
gdm: statusexplanation |
I marked this bug confirmed, because I've experienced this problem. It is apparently intended functionality, according to the Gnome developers, but I'd still really like to be able to connect to my secured wifi at home without authentication using my laptop. I do believe Windows lets you save a WPA password, and also login automatically. Of course it's less secure, but I want to be able to choose more usability over security, if I want to. In my case, I don't want my wife to have to bother with passwords. If someone steals my laptop, and can connect to my home network without authentication, that's my problem to fix. |
|
|
2009-03-10 21:07:25 |
Rick Spencer |
gdm: status |
Confirmed |
Invalid |
|
2009-03-10 21:07:25 |
Rick Spencer |
gdm: assignee |
canonical-desktop-team |
|
|
2009-03-10 21:07:25 |
Rick Spencer |
gdm: statusexplanation |
|
This sounds like it is not a bug, but by design behavior. Please re-open if I am mistaken. |
|
2009-03-10 21:08:05 |
Rick Spencer |
network-manager-applet: status |
New |
Invalid |
|
2009-06-04 08:30:19 |
Leszek |
removed subscriber Leszek |
|
|
|
2009-06-13 21:24:47 |
Tchalvak |
removed subscriber Tchalvak |
|
|
|
2009-06-15 23:45:13 |
David Tomaschik |
bug task added |
|
hundredpapercuts |
|
2009-06-17 15:24:42 |
David Siegel |
hundredpapercuts: status |
New |
Confirmed |
|
2009-06-17 15:53:39 |
Pablo Castellano |
removed subscriber Pablo Castellano |
|
|
|
2009-06-22 20:41:02 |
David Siegel |
hundredpapercuts: status |
Confirmed |
Incomplete |
|
2009-06-22 20:52:30 |
Troels Faber |
removed subscriber Troels Faber |
|
|
|
2009-07-01 07:46:44 |
Olivier Cortès |
removed subscriber Olivier Cortès |
|
|
|
2009-08-19 15:55:53 |
Logan Johnson |
removed subscriber Logan Johnson |
|
|
|
2010-01-16 15:34:40 |
Vish |
hundredpapercuts: status |
Incomplete |
Invalid |
|
2010-01-16 16:13:10 |
TomasHnyk |
removed subscriber TomasHnyk |
|
|
|
2010-04-22 17:05:09 |
Eric Appleman |
nominated for series |
|
Ubuntu Lucid |
|
2010-08-20 16:41:28 |
Dimitrios Symeonidis |
removed subscriber Dimitrios Symeonidis |
|
|
|
2010-09-15 23:49:40 |
Bug Watch Updater |
gnome-keyring: importance |
Unknown |
Medium |
|
2010-11-18 08:36:04 |
neuromancer |
bug |
|
|
added subscriber neuromancer |
2011-03-15 00:03:46 |
John Doe |
bug |
|
|
added subscriber Thorsten Reinbold |
2011-05-22 01:15:43 |
Max Kaehn |
bug |
|
|
added subscriber Max Kaehn |
2011-10-19 16:34:53 |
Jamie Strandboge |
removed subscriber Ubuntu Security Team |
|
|
|
2013-02-04 02:59:20 |
Chet Gray |
removed subscriber Chet Gray |
|
|
|
2013-07-09 18:46:59 |
John Doe |
removed subscriber Thorsten Reinbold |
|
|
|