[kscreenlocker] [Bug 465266] Cancelling the screen locker within the grace period causes authentication failures (which may cause account lockouts)

[David Edmundson]

https://bugs.kde.org/show_bug.cgi?id=465266

David Edmundson  changed:

   What|Removed |Added

  Latest Commit||https://invent.kde.org/plas
   ||ma/plasma-workspace/-/commi
   ||t/2be90db50bd369d44a567e364
   ||2ec98deca21187c
 Resolution|--- |FIXED
 Status|ASSIGNED|RESOLVED

--- Comment #5 from David Edmundson  ---
Git commit 2be90db50bd369d44a567e3642ec98deca21187c by David Edmundson.
Committed on 28/11/2023 at 11:50.
Pushed by davidedmundson into branch 'master'.

Fix most of the lock screen

The commit  introduced the idea of tying the UI to the authentication
state. Starting and cancelling as the UI became visible.
Whilst nice on paper this had two critical bugs:

- cancelling an interactive authentication leads to an entry in the
faillock list. This means pressing escape 3 times in quick successsion
could lock you out your account for 10 minutes.

- There was a concept of a failed state, which wasn't handled in the UI
properly leading to prompts disappearing.

The notification about the failed lock could not be seen.

It also failed to handle the prompts correctly, we had multiple things
bound to the same root.notification completely ignoring the
handleMessage function which is trying to stack messages.

This reverts some of commit 59cdc995e738a0b1cd734e2d1be19e87db99f32b,
but keeps the core feature.
Related: bug 477326

M  +2-0lookandfeel/components/WallpaperFader.qml
M  +22   -17   lookandfeel/org.kde.breeze/contents/lockscreen/LockScreenUi.qml

https://invent.kde.org/plasma/plasma-workspace/-/commit/2be90db50bd369d44a567e3642ec98deca21187c

-- 
You are receiving this mail because:
You are watching all bug changes.

[kscreenlocker] [Bug 465266] Cancelling the screen locker within the grace period causes authentication failures (which may cause account lockouts)

[Bug Janitor Service]

https://bugs.kde.org/show_bug.cgi?id=465266

Bug Janitor Service  changed:

   What|Removed |Added

 Status|CONFIRMED   |ASSIGNED

--- Comment #4 from Bug Janitor Service  ---
A possibly relevant merge request was started @
https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/3610

-- 
You are receiving this mail because:
You are watching all bug changes.

[kscreenlocker] [Bug 465266] Cancelling the screen locker within the grace period causes authentication failures (which may cause account lockouts)

[postix]

https://bugs.kde.org/show_bug.cgi?id=465266

postix  changed:

   What|Removed |Added

 CC||pos...@posteo.eu

-- 
You are receiving this mail because:
You are watching all bug changes.

[kscreenlocker] [Bug 465266] Cancelling the screen locker within the grace period causes authentication failures (which may cause account lockouts)

[postix]

https://bugs.kde.org/show_bug.cgi?id=465266

postix  changed:

   What|Removed |Added

   See Also||https://bugs.kde.org/show_b
   ||ug.cgi?id=477326

-- 
You are receiving this mail because:
You are watching all bug changes.

[kscreenlocker] [Bug 465266] Cancelling the screen locker within the grace period causes authentication failures (which may cause account lockouts)

[Harold]

https://bugs.kde.org/show_bug.cgi?id=465266

Harold  changed:

   What|Removed |Added

 CC||hd+...@bluecell.net

-- 
You are receiving this mail because:
You are watching all bug changes.

[kscreenlocker] [Bug 465266] Cancelling the screen locker within the grace period causes authentication failures (which may cause account lockouts)

[Richard Ullger]

https://bugs.kde.org/show_bug.cgi?id=465266

--- Comment #3 from Richard Ullger  ---
Workaround is to set 'Allow unlocking without password for:' to 0 seconds and
let the session lock. You can then immediately log back in without getting a
locked account.

-- 
You are receiving this mail because:
You are watching all bug changes.

[kscreenlocker] [Bug 465266] Cancelling the screen locker within the grace period causes authentication failures (which may cause account lockouts)

[Richard Ullger]

https://bugs.kde.org/show_bug.cgi?id=465266

Richard Ullger  changed:

   What|Removed |Added

 CC||rull...@protonmail.com
 Ever confirmed|0   |1
 Status|REPORTED|CONFIRMED

--- Comment #2 from Richard Ullger  ---
I can confirm this in 5.27.2. The more failed attempts there are, the longer
the users account is locked.

After the locked time has elapsed without any further failed attempts, the
screen locker doesn't clear the locked error message displayed and it requires
a login attempt to clear the error in the screen locker still preventing login
and another login attempt to actually log in.

Mar 02 18:15:00 richards-clevo kscreenlocker_greet[15138]:
pam_faillock(kde:auth): Consecutive login failures for user richard account
temporarily locked
Mar 02 18:15:00 richards-clevo kscreenlocker_greet[15138]: pam_unix(kde:auth):
auth could not identify password for [richard]
Mar 02 18:15:00 richards-clevo kscreenlocker_greet[15138]: pam_unix(kde:auth):
conversation failed
Mar 02 18:15:00 richards-clevo kscreenlocker_greet[15138]: pam_unix(kde:auth):
unexpected response from failed conversation function
Mar 02 18:15:00 richards-clevo kscreenlocker_greet[15138]:
pam_systemd_home(kde:auth): systemd-homed is not available: Unit
dbus-org.freedesktop.home1.service not found.
Mar 02 18:13:58 richards-clevo kscreenlocker_greet[14997]: pam_unix(kde:auth):
auth could not identify password for [richard]
Mar 02 18:13:58 richards-clevo kscreenlocker_greet[14997]: pam_unix(kde:auth):
conversation failed
Mar 02 18:13:58 richards-clevo kscreenlocker_greet[14997]: pam_unix(kde:auth):
unexpected response from failed conversation function
Mar 02 18:13:58 richards-clevo kscreenlocker_greet[14997]:
pam_systemd_home(kde:auth): systemd-homed is not available: Unit
dbus-org.freedesktop.home1.service not found.
Mar 02 18:12:56 richards-clevo kscreenlocker_greet[14846]: pam_unix(kde:auth):
auth could not identify password for [richard]
Mar 02 18:12:56 richards-clevo kscreenlocker_greet[14846]: pam_unix(kde:auth):
conversation failed
Mar 02 18:12:56 richards-clevo kscreenlocker_greet[14846]: pam_unix(kde:auth):
unexpected response from failed conversation function
Mar 02 18:12:55 richards-clevo kscreenlocker_greet[14846]:
pam_systemd_home(kde:auth): systemd-homed is not available: Unit
dbus-org.freedesktop.home1.service not found.
Mar 02 18:08:40 richards-clevo kscreenlocker_greet[6212]:
pam_systemd_home(kde:auth): systemd-homed is not available: Unit
dbus-org.freedesktop.home1.service not found.

Operating System: Arch Linux 
KDE Plasma Version: 5.27.2
KDE Frameworks Version: 5.103.0
Qt Version: 5.15.8
Kernel Version: 6.2.1-arch1-1 (64-bit)
Graphics Platform: X11
Processors: 12 × Intel® Core™ i7-8700 CPU @ 3.20GHz
Memory: 31.3 GiB of RAM
Graphics Processor: NVIDIA GeForce GTX 1080/PCIe/SSE2
Manufacturer: Notebook
Product Name: P7xxTM1
System Version: Not Applicable

-- 
You are receiving this mail because:
You are watching all bug changes.

[kscreenlocker] [Bug 465266] Cancelling the screen locker within the grace period causes authentication failures (which may cause account lockouts)

[Nate Graham]

https://bugs.kde.org/show_bug.cgi?id=465266

Nate Graham  changed:

   What|Removed |Added

 CC||n...@kde.org

-- 
You are receiving this mail because:
You are watching all bug changes.

[kscreenlocker] [Bug 465266] Cancelling the screen locker within the grace period causes authentication failures (which may cause account lockouts)

[Colin J Thomson]

https://bugs.kde.org/show_bug.cgi?id=465266

--- Comment #1 from Colin J Thomson  ---
On Saturday, 4 February 2023 11:27:56 GMT bugzilla_nore...@kde.org wrote:
> https://bugs.kde.org/show_bug.cgi?id=465266
> 
> Bug ID: 465266
>Summary: Cancelling the screen locker within the grace period
> causes authentication failures (which may cause
> account lockouts)
> Classification: Plasma
>Product: kscreenlocker
>Version: 5.26.5
>   Platform: Archlinux
> OS: Linux
> Status: REPORTED
>   Severity: normal
>   Priority: NOR
>  Component: general
>   Assignee: plasma-b...@kde.org
>   Reporter: konrad.far...@gmail.com
>   Target Milestone: ---
> 
> SUMMARY
> If the screen locker is cancelled within the configured grace period, it
> will be registered by pam as an authentication failure. On some distos, 3
> such authentication failures will cause an unexpected 10-minute account
> lockout.
> 
> 
> STEPS TO REPRODUCE
> 1. Enable automatic screen locking after 1 minute
> 2. Set the grace period ("Allow unlocking without password for: ") to a
> value greater than zero
> 3. Wait for the screen locker
> 4. Move the mouse within the configured grace period to cancel the screen
> locker
> 5. Open a terminal and run `journalctl -rt kscreenlocker_greet -b 0` (run as
> root if needed)
> 
> OBSERVED RESULT
> "authenitcation failure" is shown in the journal at the time when the screen
> locker was cancelled, even though no attempt at authentication was made by
> the user
> 
> EXPECTED RESULT
> kscreenlocker should only try to authenticate the user after the grace
> period has expired - no "authentication failure" message should be seen in
> the journal if the screen locker was cancelled within the configured grace
> period
> 
> SOFTWARE/OS VERSIONS
> Tested on two linux distributions:
> 1. Arch Linux (6.1.9-zen1-1-zen x86_64)
> KDE Plasma Version: 5.26.5
> KDE Frameworks Version: 5.102.0
> Qt Version: 5.15.8
> Graphics Platform: X11
> 2. KDE Neon Testing (5.15.0-58-generic x86_64)
> KDE Plasma Version: 5.26.90
> KDE Frameworks Version: 5.103.0
> Qt Version: 5.15.8
> Graphics Platform: X11

-- 
You are receiving this mail because:
You are watching all bug changes.

[kscreenlocker] [Bug 465266] Cancelling the screen locker within the grace period causes authentication failures (which may cause account lockouts)

[mini_bomba]

https://bugs.kde.org/show_bug.cgi?id=465266

mini_bomba  changed:

   What|Removed |Added

 CC||konrad.far...@gmail.com

-- 
You are receiving this mail because:
You are watching all bug changes.