Ubuntu 20.04 GDM increments pam_tally without password input

drcomputer

1/24/23, 2:49 AM

I have an Ubuntu 20.04 machine with slightly modified common-auth and common-password files to lock the user out for 10 minutes if an incorrect password is tried 10 times. This works fine in the Terminal and elsewhere, but I noticed that in GDM while clicking a user account from the list, not entering anything at all nor pressing enter to actually attempt the login, the tally is incremented. Each time you click a user this "attempt" is also logged to /var/log/auth.log by gdm-password:auth.

I'm unsure whether this is normal behavior for GDM but if it is I'm curious how to get around it as it's very inconvenient to get locked out for not even making an attempt.

FWIW (not sure if this is causing the issue), here is my PAM setup: common-auth:

auth    required                pam_tally2.so onerr=fail deny=10 unlock_time=600
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so

common-password:

password    requisite            pam_pwquality.so retry=3 minlen=16 reject_username
password    [success=1 default=ignore]    pam_unix.so obscure remember=8 use_authtok sha512
password    requisite            pam_deny.so
password    required            pam_permit.so
password    optional    pam_gnome_keyring.so

Any insight into this issue is appreciated.

114

0 + 0

gdm

password

pam

Alejandro

1/30/23, 8:03 AM

It may have something to do with the fact that it is possible to login without entering a password or that the user may actually have no password, so `gdm` may first try to login directly, and if it fails then it asks for the password (or whichever verification method is enabled, such as a 2FA code). Not sure, will investigate if I find time today.

drcomputer

1/30/23, 6:29 PM

Thank you for your reply, I was imagining something similar to this could be what's ultimately causing it, but it's something that I would assume gdm has taken in to account and checks first.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Ubuntu 20.04 GDM increments pam_tally without password input

TH: Ubuntu 20.04 GDM เพิ่มขึ้น pam_tally โดยไม่ต้องป้อนรหัสผ่าน

RO: Ubuntu 20.04 GDM incrementează pam_tally fără introducerea parolei

RU: Ubuntu 20.04 GDM увеличивает pam_tally без ввода пароля

VI: Ubuntu 20.04 GDM tăng pam_tally mà không cần nhập mật khẩu

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.