Bug#1035732: libkscreenlocker5: Endless loop when using PAM
Package: libkscreenlocker5
Version: 5.20.5-1
Severity: critical
Tags: patch upstream
Justification: breaks the whole system
Dear Maintainer,
* What led up to the situation?
A variation of upstream bug report https://bugs.kde.org/show_bug.cgi?id=438099
pam-configuration with
auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth requisite pam_deny.so
and
pressing "enter" to unlock the screen without entering a password.
* What was the outcome of this action?
Endless loop of
kcheckpass[74114]: pam_krb5(kde:auth): pam_sm_authenticate: entry
kcheckpass[74114]: pam_krb5(kde:auth): (user XXXX) error getting password: Conversation error
kcheckpass[74114]: pam_krb5(kde:auth): authentication failure; logname=XXXX uid=XXXX euid=XXXX tty=:1 ruser= rhost=
kcheckpass[74114]: pam_krb5(kde:auth): pam_sm_authenticate: exit (failure)
kcheckpass[74114]: pam_unix(kde:auth): conversation failed
kcheckpass[74114]: pam_unix(kde:auth): auth could not identify password for [XXXX]
(here more than 250 times / second)
till next unlock attempt with a password.
Flooding /var/log/auth.log and central authentication services.
(Thus an unintentional "enter" on a locked screen can result in at least completely filled disks.)
* What outcome did you expect instead?
Authentication failure.
Please include the short patch
https://invent.kde.org/plasma/kscreenlocker/-/commit/fca315cf72826f93eda7a026016b33818b9d1f39
to kscreenlocker-5.20.5 in bullseye.
The critical part has been completely rewritten in kscreenlocker-5.27.2
(testing) and the problem probably doesn't apply there.
Best regards,
Andreas Poenicke
BTW:
Hotfix:
Separate /etc/pam.d/kde configuration with "use_first_pass" instead of
"try_first_pass", like
auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=1 default=ignore] pam_unix.so use_first_pass
auth requisite pam_deny.so
Which should be ok for kscreenlocker in most cases.
-- System Information:
Debian Release: 11.7
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-22-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:de
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libkscreenlocker5 depends on:
ii kpackagetool5 5.78.0-3
ii libc6 2.31-13+deb11u6
ii libkf5configcore5 5.78.0-4
ii libkf5configgui5 5.78.0-4
ii libkf5coreaddons5 5.78.0-4
ii libkf5crash5 5.78.0-3
ii libkf5declarative5 5.78.0-2
ii libkf5globalaccel-bin 5.78.0-3
ii libkf5globalaccel5 5.78.0-3
ii libkf5i18n5 5.78.0-2
ii libkf5idletime5 5.78.0-2
ii libkf5notifications5 5.78.0-2
ii libkf5package5 5.78.0-3
ii libkf5quickaddons5 5.78.0-2
ii libkf5waylandclient5 4:5.78.0-2
ii libkf5waylandserver5 4:5.78.0-2
ii libkf5windowsystem5 5.78.0-2
ii libkf5xmlgui5 5.78.0-2
ii libpam0g 1.4.0-9+deb11u1
ii libqt5core5a 5.15.2+dfsg-9
ii libqt5dbus5 5.15.2+dfsg-9
ii libqt5gui5 5.15.2+dfsg-9
ii libqt5network5 5.15.2+dfsg-9
ii libqt5qml5 5.15.2+dfsg-6
ii libqt5quick5 5.15.2+dfsg-6
ii libqt5widgets5 5.15.2+dfsg-9
ii libqt5x11extras5 5.15.2-2
ii libstdc++6 10.2.1-6
ii libwayland-client0 1.18.0-2~exp1.1
ii libwayland-server0 1.18.0-2~exp1.1
ii libx11-6 2:1.7.2-1
ii libxcb-keysyms1 0.4.0-1+b2
ii libxcb1 1.14-3
ii libxi6 2:1.7.10-1
ii psmisc 23.4-2
Versions of packages libkscreenlocker5 recommends:
ii kde-config-screenlocker 5.20.5-1
libkscreenlocker5 suggests no packages.
-- no debconf information
--
Karlsruher Institut für Technologie
Institut für Theoretische Festkörperphysik
Institut für Theorie der Kondensierten Materie
Dr. Andreas Poenicke
Wolfgang-Gaede-Str. 1, Gebäude 30.23, D-76128 Karlsruhe
Telefon: +49-721-608-43365 Fax: +49-721-608-47040
E-Mail: andreas.poenicke@kit.edu WWW: www.tfp.kit.edu
KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft
Reply to: