Bug#737396: kscreensaver: locked screen allows any password if a third session (vt9) is also active
On Thu, Jun 05, 2014 at 10:52:54AM +0200, Lajos Mester wrote: I tried to log in a diffrerent order, and came out, that it wasn't the number of the VT-s, but allways the same user who got logged in without a valid password. I have no idea why this happened. And I'm unable to reproduce it any more: I changed the password of that user, and it seems to be OK. Now only with a (valid) password is the login in possible. I would like to know, what could got corrupted, or hijacked. Could you please give me advice? Thanks Try looking at the contents of /var/log/auth* as any PAM errors should be logged there. Alternatively you may want to ask on https://lists.debian.org/debian-user/ As this does not look to be a problem with KDE please could you also close the bugs you have raised in Debian and KDE. http://www.debian.org/Bugs/Developer#closing https://bugs.kde.org/show_bug.cgi?id=330526 -- Jim Scadden -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#737396: kscreensaver: locked screen allows any password if a third session (vt9) is also active
I tried to log in a diffrerent order, and came out, that it wasn't the number of the VT-s, but allways the same user who got logged in without a valid password. I have no idea why this happened. And I'm unable to reproduce it any more: I changed the password of that user, and it seems to be OK. Now only with a (valid) password is the login in possible. I would like to know, what could got corrupted, or hijacked. Could you please give me advice? Thanks Am Dienstag, 3. Juni 2014, 10:06:05 schrieben Sie: On Fri, May 30, 2014 at 09:03:01PM +0200, Lajos Mester wrote: This looks like the authentication is actually passing. Could you try installing pamtester (which is availale for jessie/sid) and run the following command and provide the results: pamtester -v login username authenticate for the user logged on the first VT: pamtester: invoking pam_start(login, the login, ...) pamtester: performing operation - authenticate Password: pamtester: Authentication failure -- with or without a password, even with the correct one. Other users get: pamtester: successfully authenticated What are the corresponding messages in /var/log/auth.log ? -- Jim Scadden -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#737396: kscreensaver: locked screen allows any password if a third session (vt9) is also active
On Fri, May 30, 2014 at 09:03:01PM +0200, Lajos Mester wrote: This looks like the authentication is actually passing. Could you try installing pamtester (which is availale for jessie/sid) and run the following command and provide the results: pamtester -v login username authenticate for the user logged on the first VT: pamtester: invoking pam_start(login, the login, ...) pamtester: performing operation - authenticate Password: pamtester: Authentication failure -- with or without a password, even with the correct one. Other users get: pamtester: successfully authenticated What are the corresponding messages in /var/log/auth.log ? -- Jim Scadden -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#737396: kscreensaver: locked screen allows any password if a third session (vt9) is also active
Am Donnerstag, 29. Mai 2014, 21:47:29 schrieben Sie: On Tue, May 27, 2014 at 06:50:01PM +0200, Lajos Mester wrote: * What authentication type is PAM using (e.g. shadow, ldap, krb5) ? How do I know it? Unless you have changed it, the default should be shadow. Documentation for PAM is available at http://www.linux-pam.org/ Did not change it. * What is the result of the following command on the different VTs with an invalid password: /usr/lib/kde4/libexec/kcheckpass; echo $? Trying to log in on the standard terminals. Even there, the user who is logged in on the first K-VT, get's logged in without a pass. For this user the command above gives 0, for the others authentication failure 1. This looks like the authentication is actually passing. Could you try installing pamtester (which is availale for jessie/sid) and run the following command and provide the results: pamtester -v login username authenticate for the user logged on the first VT: pamtester: invoking pam_start(login, the login, ...) pamtester: performing operation - authenticate Password: pamtester: Authentication failure -- with or without a password, even with the correct one. Other users get: pamtester: successfully authenticated -- Jim Scadden -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#737396: kscreensaver: locked screen allows any password if a third session (vt9) is also active
On Tue, May 27, 2014 at 06:50:01PM +0200, Lajos Mester wrote: * What authentication type is PAM using (e.g. shadow, ldap, krb5) ? How do I know it? Unless you have changed it, the default should be shadow. Documentation for PAM is available at http://www.linux-pam.org/ * What is the result of the following command on the different VTs with an invalid password: /usr/lib/kde4/libexec/kcheckpass; echo $? Trying to log in on the standard terminals. Even there, the user who is logged in on the first K-VT, get's logged in without a pass. For this user the command above gives 0, for the others authentication failure 1. This looks like the authentication is actually passing. Could you try installing pamtester (which is availale for jessie/sid) and run the following command and provide the results: pamtester -v login username authenticate -- Jim Scadden -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#737396: kscreensaver: locked screen allows any password if a third session (vt9) is also active
Hi Jim, thanks for careing... i have testing-unstable installed, almost always up to date. The bug is still there. Please find the anwers to your questions below. If you need more info, just drop a mail. Thanks and regards. Lajos Am Sonntag, 25. Mai 2014, 08:32:18 schrieben Sie: tags 737396 + moreinfo stop Hi Lajos, I have been unable to reproduce this bug with the current versions of kscreensaver in wheezy (4:4.8.4-5) and jessie (4:4.12.4-1). apt-cache policy kscreensaver kscreensaver: Installiert: 4:4.12.4-1 Installationskandidat: 4:4.12.4-1 Versionstabelle: *** 4:4.12.4-1 0 500 http://ftp.de.debian.org/debian/ testing/main amd64 Packages 500 http://ftp.de.debian.org/debian/ unstable/main amd64 Packages 100 /var/lib/dpkg/status 4:4.8.4-5 0 500 http://ftp.de.debian.org/debian/ wheezy/main amd64 Packages Please could you advise the following to help reproduce the problem: * Are all of VT sessions logged in as different users? Yes * Are there any errors in /var/log/auth.log ? Yes, but only for the second and third sessions (if trying with a wrong password). The first session did not log any error. * Are there any errors in ~/.xsession-errors ? Any? Well sort of. It's 18 MB long. After deleting it and switching to the first session (w/o pass), no errors are written. * What authentication type is PAM using (e.g. shadow, ldap, krb5) ? How do I know it? * What is the result of the following command on the different VTs with an invalid password: /usr/lib/kde4/libexec/kcheckpass; echo $? Trying to log in on the standard terminals. Even there, the user who is logged in on the first K-VT, get's logged in without a pass. For this user the command above gives 0, for the others authentication failure 1. Thanks -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#737396: kscreensaver: locked screen allows any password if a third session (vt9) is also active
tags 737396 + moreinfo stop Hi Lajos, I have been unable to reproduce this bug with the current versions of kscreensaver in wheezy (4:4.8.4-5) and jessie (4:4.12.4-1). Please could you advise the following to help reproduce the problem: * Are all of VT sessions logged in as different users? * Are there any errors in /var/log/auth.log ? * Are there any errors in ~/.xsession-errors ? * What authentication type is PAM using (e.g. shadow, ldap, krb5) ? * What is the result of the following command on the different VTs with an invalid password: /usr/lib/kde4/libexec/kcheckpass; echo $? Thanks -- Jim Scadden -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#737396: kscreensaver: locked screen allows any password if a third session (vt9) is also active
Package: kscreensaver Version: 4:4.8.4-5 Justification: causes serious data loss Severity: critical Tags: security Dear Maintainer, after activating tree (kde-)sessions on vt7,vt8 and vt9, one of the sessions does not need having a password entered at the login widget, still, it lets you in. Which session is affected is not clear, seems to be random. Not sure, but it I think even root sessions could be started this way. Thanks -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.9-1-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages kscreensaver depends on: ii kde-runtime 4:4.11.3-1 ii kde-workspace-bin 4:4.11.3-2 ii libc6 2.17-97 ii libgl1-mesa-glx [libgl1] 9.1.3-6 ii libglu1-mesa [libglu1]9.0.0-2 ii libkdecore5 4:4.11.3-2 ii libkdeui5 4:4.11.3-2 ii libkexiv2-10 4:4.8.4-1 ii libkio5 4:4.11.3-2 ii libkparts44:4.11.3-2 ii libkscreensaver5 4:4.11.3-2 ii libqt4-opengl 4:4.8.4+dfsg-4 ii libqtcore44:4.8.4+dfsg-4 ii libqtgui4 4:4.8.4+dfsg-4 ii libstdc++64.8.2-10 ii libx11-6 2:1.6.2-1 Versions of packages kscreensaver recommends: ii kde-window-manager4:4.11.3-2 ii kscreensaver-xsavers 4:4.8.4-5 kscreensaver suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org