[device lock] Delay log in attempts after several failed ones
Bug #1347907 reported by
kevin gunn
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu UX |
Fix Released
|
High
|
Olga Kemmet | ||
unity8 (Ubuntu) |
Fix Released
|
Undecided
|
Michael Terry |
Bug Description
capturing the desire from our security team to add in a delay for the ability to attempt unlocks on the greeter.
unless design provides some other specification choose 5 potential failed attmepts, upon which the greeter will not unlock or allow a password entry attempt for 1 hour.
Related branches
lp:~mterry/unity8/wrong-password-handling
Superseded
for merging
into
lp:unity8
- PS Jenkins bot (community): Needs Fixing (continuous-integration)
- Michael Zanetti (community): Approve
- Michał Sawicz: Abstain
- David Planella (community): Needs Fixing
- Albert Astals Cid (community): Needs Fixing
-
Diff: 1663 lines (+703/-139)45 files modifiedcmake/modules/QmlTest.cmake (+2/-2)
cmake/modules/autopilot.cmake (+2/-2)
debian/control (+2/-1)
debian/unity8-private.install (+0/-2)
plugins/AccountsService/50-com.canonical.unity.AccountsService.pkla (+0/-6)
plugins/AccountsService/AccountsService.cpp (+27/-1)
plugins/AccountsService/AccountsService.h (+9/-0)
plugins/AccountsService/CMakeLists.txt (+0/-10)
plugins/AccountsService/com.canonical.unity.AccountsService.policy (+0/-24)
plugins/AccountsService/com.canonical.unity.AccountsService.xml (+28/-5)
plugins/LightDM/Greeter.cpp (+4/-1)
plugins/LightDM/Greeter.h (+1/-1)
plugins/Ubuntu/CMakeLists.txt (+1/-0)
plugins/Ubuntu/SystemImage/CMakeLists.txt (+10/-0)
plugins/Ubuntu/SystemImage/SystemImage.cpp (+34/-0)
plugins/Ubuntu/SystemImage/SystemImage.h (+38/-0)
plugins/Ubuntu/SystemImage/SystemImage.qmltypes (+17/-0)
plugins/Ubuntu/SystemImage/plugin.cpp (+34/-0)
plugins/Ubuntu/SystemImage/plugin.h (+31/-0)
plugins/Ubuntu/SystemImage/qmldir (+3/-0)
po/unity8.pot (+72/-19)
qml/Components/Lockscreen.qml (+35/-10)
qml/Components/PassphraseLockscreen.qml (+3/-4)
qml/Components/PinLockscreen.qml (+3/-4)
qml/Notifications/NotificationMenuItemFactory.qml (+0/-1)
qml/Shell.qml (+53/-8)
run.sh (+21/-20)
tests/mocks/AccountsService/AccountsService.cpp (+13/-1)
tests/mocks/AccountsService/AccountsService.h (+8/-0)
tests/mocks/LightDM/Greeter.cpp (+11/-0)
tests/mocks/LightDM/Greeter.h (+3/-0)
tests/mocks/LightDM/demo/CMakeLists.txt (+13/-0)
tests/mocks/LightDM/full/GreeterPrivate.cpp (+4/-4)
tests/mocks/LightDM/single-passphrase/GreeterPrivate.cpp (+2/-9)
tests/mocks/LightDM/single-pin/GreeterPrivate.cpp (+3/-2)
tests/mocks/Ubuntu/CMakeLists.txt (+1/-0)
tests/mocks/Ubuntu/SystemImage/CMakeLists.txt (+10/-0)
tests/mocks/Ubuntu/SystemImage/MockSystemImage.cpp (+27/-0)
tests/mocks/Ubuntu/SystemImage/MockSystemImage.h (+36/-0)
tests/mocks/Ubuntu/SystemImage/SystemImage.qmltypes (+18/-0)
tests/mocks/Ubuntu/SystemImage/plugin.cpp (+34/-0)
tests/mocks/Ubuntu/SystemImage/plugin.h (+31/-0)
tests/mocks/Ubuntu/SystemImage/qmldir (+3/-0)
tests/qmltests/Greeter/tst_Lockscreen.qml (+0/-2)
tests/qmltests/tst_ShellWithPin.qml (+56/-0)
Changed in unity8: | |
assignee: | nobody → Michael Terry (mterry) |
tags: | added: rtm14 |
Changed in unity8: | |
status: | New → In Progress |
Changed in ubuntu-ux: | |
assignee: | nobody → Olga Kemmet (olga-kemmet) |
importance: | Undecided → High |
status: | New → Fix Committed |
summary: |
- Delay log in attempts after several failed ones + [device lock] Delay log in attempts after several failed ones |
Changed in ubuntu-ux: | |
status: | Fix Committed → Fix Released |
Changed in unity8 (Ubuntu): | |
assignee: | nobody → Michael Terry (mterry) |
no longer affects: | unity8 |
To post a comment you must log in.
I've added an ubuntu-ux task, because I'd like guidance for how this is presented to the user.
My thinking from a technical POV is that we can use a PAM module (pam_tally2) to record failed logins. The timing is configurable with it, but the default behavior is to just silently fail. That is, once the user fails to log in, say 5 times, then further logins for, say an hour, will fail (even if the right password is used). Is that how we'd like it work?
But we probably want some message to be shown to the user. Right now we don't show any text at all on incorrect entries. We just jiggle the password box.