Ubuntu
unity-greeter package

pam_conv.conv callback not honored by lightdm/unity-greeter

Bug #947663 reported by Thomas Bushnell, BSG
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unity-greeter (Ubuntu)
Triaged
High
Unassigned

Bug Description

Reporting against unity-greeter because it's a UI problem, but it might well go deeper.

We have a pam auth module which needs to use pam_conv.conv (the callback function which prompts the user). It implements a two-factor authentication regime, in which the first factor is a conventional unechoed password, and the second factor is a multi-digit OTP, which should be echoed.

When this module is in use, lightdm *almost* gets it right. I enter the first password, and it is not echoed, and then I get the *same* visual appearence (the box with my name) as it sits silently waiting for the OTP. And that one does get echoed.

Everything works...except it didn't bother to display the prompts. I know the designers have decided what the prompts are, but it's not up to them when they didn't design the pam module... ;0

Specifically, our prompts are "SSO password: ", "OTP (OPTIONAL): ", "OTP: ", and also some error messages.

The "SSO password: " prompt is PAM_PROMPT_ECHO_OFF; the two OTP messages are PAM_PROMPT_ECHO_ON; the error messages are PAM_ERROR_MSG. Sometimes we issue a PAM_TEXT_INFO notice as well.

We need all of these to be displayed, without exception (which is what the pam rules say you're supposed to do).

Revision history for this message
Thomas Bushnell, BSG (tbushnell) wrote :

It appears that user-list.vala (user_list.show_prompt) basically ignores the text of the prompt and displays its own messages, based on the guess that if echo is off then it's a password, and if echo is on, it's a user, sort of, sometimes.

This is quite wrong.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Hi,

Thanks for following up on this.

I've pushed some changes [1] to improve the types of PAM interaction we expect. If possible please have a look at the code and see if it covers all the cases you use. This definitely highlights that we're not correctly displaying prompts (we used to do better there) so we'll work on fixing those.

[1] lp:~robert-ancell/unity-greeter/better-test-cases

Changed in unity-greeter (Ubuntu):
status: New → Triaged
importance: Undecided → High
Changed in unity-greeter:
status: New → Triaged
importance: Undecided → High
Revision history for this message
Thomas Bushnell, BSG (tbushnell) wrote :

I just tried a login with a second factor module in place in pam, and whether it's deliberate or not, I see that a two-factor auth prompt shows up nicely in the unity-greeter box. Perhaps this is because we switched to teh new greeter-show-manual-login and disabled greeter-hide-users, or not, but regardless, it looks great.

Robert Ancell (robert-ancell)
no longer affects: unity-greeter
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.