pam authtication doesn't work if the first time you supply wrong password

[GoogleCodeExporter]

What steps will reproduce the problem?
1. alock -auth pam
2. supply wrong password, output is "pam error:Authentication failure"
3. then supply correct or wrong password, output is "pam error:Success"
4. can't unlock anymore

What is the expected output? What do you see instead?
alock should unlock even if we type wrong password at the fist time

What version of the product are you using? On what operating system?
alock-svn-94.tar.bz2, ubuntu lucid 32bit

Please provide any additional information below.

PAM authentication only works if you supply password correctly at first time. 
If the first time you supply wrong password, you wont' be able to unlock 
anymore.

Original issue reported on code.google.com by giah...@gmail.com on 7 Jan 2013 at 8:39

[GoogleCodeExporter]

More information.
/etc/pam.d/common-session
session required        pam_mkhomedir.so        skel=/etc/skel/ umask=022
session required        pam_unix.so
session optional        pam_krb5.so minimum_uid=1000    use_first_pass

correct password auth.log:
Jan  7 15:23:28 mycomputer alock: pam_krb5(login:auth): user abc authenticated 
as abc@localhost.org
Jan  7 15:23:28 mycomputer alock: pam_winbind(login:auth): getting password 
(0x00000210)
Jan  7 15:23:28 mycomputer alock: pam_winbind(login:auth): pam_get_item 
returned a password
Jan  7 15:23:28 mycomputer alock: pam_winbind(login:auth): user 'abc' granted 
access

wrong password auth.log:
Jan  7 15:24:23 mycomputer alock: pam_krb5(login:auth): authentication failure; 
logname=abc uid=10016 euid=10016 tty=/dev/pts/1 ruser= rhost=
Jan  7 15:24:23 mycomputer alock: pam_unix(login:auth): authentication failure; 
logname=abc uid=10016 euid=10016 tty=/dev/pts/1 ruser= rhost=  user=abc
Jan  7 15:24:23 mycomputer alock: pam_winbind(login:auth): getting password 
(0x00000210)
Jan  7 15:24:23 mycomputer alock: pam_winbind(login:auth): pam_get_item 
returned a password
Jan  7 15:24:24 mycomputer alock: pam_winbind(login:auth): request wbcLogonUser 
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: 
NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Jan  7 15:24:24 mycomputer alock: pam_winbind(login:auth): user 'abc' denied 
access (incorrect password or invalid membership)
If I continue type correct or wrong password on the second time, third time... 
after wrong password in first time, auth.log doesn't have new log.

Original comment by giah...@gmail.com on 7 Jan 2013 at 8:49

[GoogleCodeExporter]

Original comment by mathias....@gmail.com on 7 Jan 2013 at 8:50

• Changed state: Accepted

[GoogleCodeExporter]

i can't reproduce it here, i typed 2 times the wrong password, 3rd try was the 
correct one:

Jan  8 10:13:54 HOST unix_chkpwd[14509]: password check failed for user (USER)
Jan  8 10:13:54 HOST alock: pam_unix(login:auth): authentication failure; 
logname=USER uid=1000 euid=1000 tty=/dev/pts/3 ruser= rhost=  user=USER
Jan  8 10:14:00 HOST unix_chkpwd[14510]: password check failed for user (USER)
Jan  8 10:14:00 HOST alock: pam_unix(login:auth): authentication failure; 
logname=USER uid=1000 euid=1000 tty=/dev/pts/3 ruser= rhost=  user=HOST

can you log into the system with false-passwords on normal console / xdm login?

Original comment by mathias....@gmail.com on 8 Jan 2013 at 9:17

[GoogleCodeExporter]

Hi,

I don't have any problem with PAM on xdm/console login. Wrong password = failed 
login, correct password = successful login

Original comment by giah...@gmail.com on 9 Jan 2013 at 3:56

[GoogleCodeExporter]

Can you figure out which Pam modules are involved on console / xdm? 

Original comment by mathias....@gmail.com on 9 Jan 2013 at 4:25

[GoogleCodeExporter]

Hi,

/etc/pam.d/gdm
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
auth    optional        pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
session required        pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
session optional        pam_gnome_keyring.so auto_start
@include common-password

/etc/pam.d/common-auth
auth    [success=2      default=ignore] pam_krb5.so minimum_uid=1000
auth    sufficient      pam_unix.so nullok_secure
auth    required        pam_group.so use_first_pass
auth    required        pam_winbind.so use_first_pass cached_login

/etc/pam.d/common-account
account sufficient      pam_winbind.so
account required        pam_unix.so

/etc/pam.d/common-session
session required        pam_mkhomedir.so        skel=/etc/skel/ umask=022
session required        pam_unix.so
session optional        pam_foreground.so
session optional        pam_krb5.so minimum_uid=1000    use_first_pass

/etc/pam.d/common-password
password   sufficient pam_winbind.so
password   sufficient pam_unix.so nullok obscure md5
password [success=1 default=ignore] pam_unix.so obscure sha512

/etc/pam.d/gdm-autologin
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
auth    required        pam_permit.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
session required        pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
@include common-password

I ran "alock -auth pam" from gnome-terminal

Original comment by giah...@gmail.com on 9 Jan 2013 at 7:22

[GoogleCodeExporter]

can you also show a log of a failed login via gdm?

Original comment by mathias....@gmail.com on 9 Jan 2013 at 1:01

[GoogleCodeExporter]

Hi,

failed login: (The first line is logged when I enter username)
Jan 11 14:34:27 mycomputer gdm-session-worker[9121]: pam_succeed_if(gdm:auth): 
requirement "user ingroup nopasswdlogin" not met by user "abc"
Jan 11 14:34:34 mycomputer gdm-session-worker[9121]: pam_krb5(gdm:auth): 
authentication failure; logname=abc uid=0 euid=0 tty=:0 ruser= rhost=

successful login:
Jan 11 14:33:32 mycomputer gdm-session-worker[8865]: pam_succeed_if(gdm:auth): 
requirement "user ingroup nopasswdlogin" not met by user "abc"
Jan 11 14:33:39 mycomputer gdm-session-worker[8865]: pam_krb5(gdm:auth): user 
abc authenticated as abc@localhost.org
Jan 11 14:33:39 mycomputer gdm-session-worker[8865]: pam_winbind(gdm:auth): 
getting password (0x00000210)
Jan 11 14:33:39 mycomputer gdm-session-worker[8865]: pam_winbind(gdm:auth): 
pam_get_item returned a password
Jan 11 14:33:39 mycomputer gdm-session-worker[8865]: pam_winbind(gdm:auth): 
user 'abc' granted access
Jan 11 14:33:39 mycomputer gdm-session-worker[8865]: pam_winbind(gdm:account): 
user 'abc' granted access
Jan 11 14:33:39 mycomputer gdm-session-worker[8865]: pam_unix(gdm:session): 
session opened for user abc by (uid=0)
Jan 11 14:33:40 mycomputer polkitd(authority=local): Registered Authentication 
Agent for session /org/freedesktop/ConsoleKit/S
ession8 (system bus name :1.131 
[/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path 
/org/gnome/PolicyKit1/AuthenticationAgent, locale en_US)

Thanks for checking!

Original comment by giah...@gmail.com on 11 Jan 2013 at 7:38

[GoogleCodeExporter]

i retested with libpam-krb5:amd64 and libpam-winbind:amd64 installed (in all  
combinations of it (none, both, each of it installed).

can't reproduce it anymore.

do you type your password when you get the green-border?

Original comment by mathias....@gmail.com on 11 Jan 2013 at 7:49

[GoogleCodeExporter]

Yes, I typed my password :P.
The first time it works. But if first time is wrong password, it won't work. So 
I know how to type it correctly, right? Type when the green border appears.
Do we have problem with special characters in password, and with the first 
letter in capital?

Original comment by giah...@gmail.com on 11 Jan 2013 at 9:38

[GoogleCodeExporter]

I type the first letter by press shift + letter. My special character are "'" 
"@" "$" "."

Original comment by giah...@gmail.com on 11 Jan 2013 at 9:39

[GoogleCodeExporter]

pam+winbind might delay the authentification a little bit. i take the current 
time, push the password to the auth-backend and if that fails, calculate the 
re-auth-penalty. since pam+winbind might take longer in the first couple of 
auth-failures, alock might jump right back into "gimme your password" mode. 
this happened to me and i mistyped the password and reproduced the bug until i 
figured the timing issue and followed the 
alock-gives-me-a-green-border-so-i-have-to-directly-type-in-the-password .. and 
then it worked. that's why i was asking about the green-border-do-you-type 
thingy.

special characters in the password should not be a problem, otherwise the issue 
wouldn't be "alock works when given the password the first time, but stops 
after the 2nd time".

Original comment by mathias....@gmail.com on 12 Jan 2013 at 7:36

[GoogleCodeExporter]

For my case, if I type wrong password first time, the border is "red". Press 
"Enter" to get to green-border. Then typing password 2nd.
So you mean we will wait for couple minutes after the fail password? Is 
green-border signal of "gimme password mode"?

Original comment by giah...@gmail.com on 12 Jan 2013 at 12:29

[GoogleCodeExporter]

green is for "start typing your password". you must hit a key to activate 
green. if it is green already ... you might have pressed some keys already :)

Original comment by mathias....@gmail.com on 12 Jan 2013 at 12:31

[GoogleCodeExporter]

So I did the right way to enter password :). I pressed "Enter" to activate it.
No solution yet? :(

Original comment by giah...@gmail.com on 12 Jan 2013 at 12:50

[GoogleCodeExporter]

you could shy away from the problem and use something other than pam.

Original comment by mathias....@gmail.com on 12 Jan 2013 at 12:51