https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c1 David Liang changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dliang@suse.com --- Comment #1 from David Liang 2012-09-11 08:17:17 UTC --- Found bug in the gdm 'passwordless' code, at the beginning, it uses 'gdm' service to create conversation, but later, choose 'gdm-autologin' to handle the password less issue. Thus, it cannot find the conversation correctly. In my testing, it will hang up after choose the user. But sometimes, gdm will behavior like your description, in this situation, gdm did not recognize passwordless setting. (In reply to comment #0)

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0

It is impossible to log in to a user account if the password login option is set to "choose password at next login" or "log in without password" in GNOME System Settings.

Also, there are some selection issues with these options. After selecting "choose password at next login", if you then select "log in without password", your setting will be reverted. You can disable the account, but if you then select "log in without password", it will again revert to "choose password at next login". The only way to select "log in without password" at this point is to set a password anyway, then select "log in without password." Your selection will now be retained. (Though you'll still be unable to log in. ^^)

Reproducible: Always

Steps to Reproduce: 1. Go to System Settings -> User accounts and create a new user account for testing. 2. Select "log in without password" 3. Log out of your current account and attempt to log into the new account. 4. GDM will request a password, as if it doesn't realize you do not have one. (This might be intentional.) Leave the password field blank. An authentication failure will occur. 5. Log in to your original account and change the test account to "choose password at next login." 6. Log out and try to login to the test account. GDM will request a password as usual, without prompting for the creation of a new one. Enter anything (since you're supposed to be setting your password). An authentication failure will occur. 7. Log back into your original account and change the setting on the test accoutn to "log in without password". Wait about two seconds and the setting will revert to "choose password at next login."

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c3 --- Comment #3 from Michael Catanzaro 2012-09-13 19:37:19 UTC --- When I log in via tty1 after selecting "choose password at next login" I still get prompted for a password, but no password works, same as when trying to log in via GDM. (This time I forgot to make another user account first, so I had to log in as root to recover.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c5 --- Comment #5 from David Liang 2012-10-12 09:46:17 UTC --- I saw the 'choose password at next login' bug as you described, the old password failed to work, password match failed in the underling pam module. But I cannot reproduce it anymore... Can you still be able to reproduce it? Any steps which I can following? (In reply to comment #3)

When I log in via tty1 after selecting "choose password at next login" I still get prompted for a password, but no password works, same as when trying to log in via GDM. (This time I forgot to make another user account first, so I had to log in as root to recover.)

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c7 --- Comment #7 from Benjamin Brunner 2012-10-15 10:49:35 CEST --- David, please see the following declined message of the opensuse-review-team. Could you fix the missing description, please and submit it again? Thanks. Request: #137959 maintenance_release: openSUSE:Maintenance:1002/gdm.openSUSE_12.2_Update -> openSUSE:12.2:Update/gdm.1002 maintenance_release: openSUSE:Maintenance:1002/patchinfo -> openSUSE:12.2:Update/patchinfo.1002 Message: <no message> State: declined 2012-10-12T15:34:40 a_jaeger Comment: The GNOME team has a convention of using a # PATCH description for each patch in the spec file. Please follow this convention also for this update. Thanks, Andreas -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c9 --- Comment #9 from Swamp Workflow Management 2012-10-23 11:08:43 UTC --- openSUSE-RU-2012:1384-1: An update that has two recommended fixes can now be installed. Category: recommended (low) Bug References: 779408,785152 CVE References: Sources used: openSUSE 12.1 (src): gdm-3.2.0-5.10.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c11 Michael Catanzaro changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #11 from Michael Catanzaro 2013-01-06 21:09:30 UTC --- Reopened since login without password was never fixed. I'm working on a patch that removes it from the UI simply because there's other stuff on the page that's also broken (automatic password generation, password hints). But I haven't yet found the underlying problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c Michael Catanzaro changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO InfoProvider| |maintenance@opensuse.org -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c14 Michael Catanzaro changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vuntz@suse.com --- Comment #14 from Michael Catanzaro 2013-01-11 05:47:11 UTC --- Well I think we should not use my patch; this is indeed just a PAM misconfiguration, so we should fix it instead of removing the feature. Our gdm-password in /etc/pam.d has the following line for auth; everything below auth doesn't matter: auth include common-auth Here is my common-auth: auth required pam_env.so auth optional pam_gnome_keyring.so auth required pam_unix2.so This is wrong for various reasons: 1) pam_unix2 must come before gnome_keyring, not after, or else the keyring will naturally prompt for a password, which would be wrong in this case. 2) pam_unix2 must not be required and must have the nullok option, or else you won't be able to login at all (if you're set to choose password at next login). Both of these constraints seem "wrong" to me - why should you need nullok just to make setting the password not fail - but that seems to be how it works. So this is the best I could come up with (for gdm-password): auth required pam_env.so auth sufficient pam_unix2.so nullok auth required pam_deny.so auth optional pam_gnome_keyring.so But that's clearly wrong, since it breaks gnome-keyring (you can't reach that last line). Then I found some old bugs (links below) and came up with this: auth required pam_env.so auth substack gdm-auth auth optional pam_gnome_keyring.so Where gdm-auth is a new file: auth sufficient pam_unix2.so nullok auth required pam_deny.so But that does not work either, since now pam_gnome_keyring is prompting for a password again... and so I am completely stumped at what to try next. Furthermore, I wouldn't know how to integrate a solution using pam-config. Relevant-ish: https://bugzilla.novell.com/show_bug.cgi?id=443189 https://bugzilla.novell.com/show_bug.cgi?id=477488 CC Vincent since you've worked on this in the past. This works perfectly on Fedora (I'll attach Fedora's configuration), but they're using authconfig instead of pam-config. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c16 --- Comment #16 from Michael Catanzaro 2013-01-11 05:53:05 UTC --- Created an attachment (id=519834) --> (http://bugzilla.novell.com/attachment.cgi?id=519834) Fedora password-auth, generated by authconfig This is of limited value to us since they use authconfig... but it works so it might help. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c18 Vincent Untz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO InfoProvider| |mike.catanzaro@gmail.com --- Comment #18 from Vincent Untz 2013-01-11 07:23:36 UTC --- Note that password expiry in pam is not related to the auth group, but to the account group. It might simply be that "chage -d 0" which is being used to force setting password on next login doesn't work like this on openSUSE. Does it actually work if you log in a console (or with "su -")? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c20 --- Comment #20 from Bernhard Wiedemann 2013-01-15 06:00:12 CET --- This is an autogenerated message for OBS integration: This bug (779408) was mentioned in https://build.opensuse.org/request/show/148527 Maintenance / -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c22 --- Comment #22 from Bernhard Wiedemann 2013-01-15 07:00:11 CET --- This is an autogenerated message for OBS integration: This bug (779408) was mentioned in https://build.opensuse.org/request/show/148528 Maintenance / -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c24 Michael Catanzaro changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED InfoProvider|mike.catanzaro@gmail.com | Severity|Major |Critical --- Comment #24 from Michael Catanzaro 2013-01-15 19:55:08 UTC --- - is someone pushing apg to Factory? Not that I know of but it's a nonissue since v3.6 uses libpwquality instead of apg, so it's already fixed. - is gnome-control-center-password-must-change.patch upstreamed? I've responded in https://bugzilla.novell.com/show_bug.cgi?id=779413 - what's the long term plan for fixing the "change at next login" issue? I have no idea because I don't know how to fix the PAM issue. =( It'd be much better if we could fix that, since we would not need this patch at all. I included this temporary workaround in my maintenance request since (1) it fits nicely with the other fixes to the same dialog and is trivial to remove later when PAM gets fixed, and (2) the feature is totally useless and purely dangerous until then. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c26 --- Comment #26 from Michael Catanzaro 2013-01-16 18:02:49 UTC --- I think that's this one. :-) I was just planning to reopen it after the maintenance update. Would it be better to make a new one? (Should we assign it to the base system team?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c28 --- Comment #28 from Michael Catanzaro 2013-01-17 03:24:32 UTC --- Er, a bit late to be noticing this - but passwordless login still doesn't work either. Which is slightly expected since there is no nullok on pam_unix2.so. Peter does it work for you? sudo /usr/sbin/pam-config --update --nullok fixes it.... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c30 --- Comment #30 from David Liang 2013-01-18 08:32:03 UTC --- I see what is the difference, my previous attempts were based on Yast -- user account manager -- choose 'force password change'. In the console login, you can verify it. gdm works after applying my patch. In Yast, the old password was preserved, the expire date was changed to '0'. In system setting (accountservice), the expire data was changed to '0', however old password was cleaned. Pam authenticated policy will verify the old password and ask the user to set the new password. In system setting, as the old password was cleaned, pam failed to authenticate the password. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c32 --- Comment #32 from Michael Catanzaro 2013-01-18 20:25:40 UTC --- Keeping the password will not break any existing use-cases that I can think of, so that's a reasonable first step. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c34 --- Comment #34 from Vincent Untz 2013-01-21 14:57:41 UTC --- (In reply to comment #33)

Hi, I get some other opinions while reading this code.

I was just talking about the "set password at next login" option. Passwordless is a different matter, indeed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c36 --- Comment #36 from Michael Catanzaro 2013-01-25 21:37:44 UTC --- This seems to me to be an issue of conflicting designs. There's really no point in trying to find workarounds for the broken settings, IMO, as they are broken by design - Thorsten simply doesn't want you to be able to authenticate without a password (the YaST/sysconfig option being the senseless exception). I see the following options: (a) change the common PAM configuration, (b) ignore the common PAM configuration, or (c) simply remove the options from g-c-c. Alternatively we could remove "login without password" and still try to save "choose password at next login" by using the change to accountsservice proposed above. It will kind of work, but it's not sufficient in itself in that (a) we'd still have to patch g-c-c to hide the option when the user currently has no password, and (b) you're prompted for your current password twice (once to authenticate, once to start the password change process) which is non-ideal. (By the way, the presence of the sysconfig options is silly and complicating. Why would you want to enable passwordless login for ALL accounts when you could instead enable it selectively for each one....) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c38 --- Comment #38 from Vincent Untz 2013-02-06 07:03:28 UTC --- (In reply to comment #37)

Vincent, I think it would be a good idea to just remove the broken UI for the time being -- does that sound good?

As long as the right fixes are being worked on for the long term, that's fine with me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c40 --- Comment #40 from Swamp Workflow Management 2013-02-25 09:04:51 UTC --- openSUSE-RU-2013:0331-1: An update that has four recommended fixes can now be installed. Category: recommended (low) Bug References: 779408,779413,779414,796932 CVE References: Sources used: openSUSE 12.2 (src): gnome-control-center-3.4.2-3.15.1 openSUSE 12.1 (src): gnome-control-center-3.2.1-2.10.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=779408 https://bugzilla.novell.com/show_bug.cgi?id=779408#c42 Benjamin Brunner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #42 from Benjamin Brunner 2013-03-18 17:39:31 CET --- Update released for openSUSE 12.3. Resolved fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.