Found in util-linux-2.12r-r8 and util-linux-2.12r-r7 at least. Enter the wrong password twice and the third attempt always fails. Reproducible: Always Steps to Reproduce: 1.log in attempt with wrong username/password combo 2.log in attempt with wrong username/password combo 3.log in attempt with correct username/password combo Actual Results: Maximum number of tries exceeded (3) Expected Results: A successful log-in.
Try w/ 2.13-r2 and report back, please.
Yes, agetty from util-linux-2.13-r1 and util-linux-2.13-r2 display the same behavior.
Reopen.
Tried to find the bug in util-linux last night. After a couple of hours of incompetent digging I began to wonder if PAM has a hand in the problem.
then emerge util-linux-2.13-r* with USE=-pam and try again also, post `emerge info`
Same behavior observed. Further digging reveals that util-linux-* doesn't honor the pam USE flag. It is hard coded to use --without-pam. So anyway here is my info: gorilla ~ # emerge info *** Deprecated use of action 'info', use '--info' instead Portage 2.1.3.19 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.5-r4, 2.6.18-gentoo-r4 x86_64) ================================================================= System uname: 2.6.18-gentoo-r4 x86_64 AMD Athlon(tm) 64 Processor 3000+ Timestamp of tree: Mon, 26 Nov 2007 23:30:01 +0000 app-shells/bash: 3.2_p17 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.23b virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acl alsa amd64 berkdb bitmap-fonts cli cracklib crypt cups dri eds emboss encode foomaticdb fortran gif gnome gpm gstreamer gtk gtk2 iconv imlib ipv6 isdnlog jpeg kde libclamav lzw lzw-tiff midi mp3 mpeg mudflap mysal ncurses nls nptl nptlonly opengl openmp pam pcre perl png pppd python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd tiff truetype-fonts type1-fonts usb xorg xpm xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Info supplied
(In reply to comment #7) > Info supplied > Testing with util-linux-2.13 without PAM was requested as well.
you're right, util-linux does not respect USE=pam ... but the login binary does (which comes from the shadow package), and that's what matters considering it is what does authentication, not the agetty program ... agetty merely hooks up some tty with some login program i'm USE=-pam over here and it works fine for me: username: root password: <hit enter> username: root password: <hit enter> username: root password: <type password> <works> please post the version of shadow you're using and run your test again after building shadow with USE=-pam
I am using sys-apps/shadow-4.0.18.1-r1 USE=-pam emerge --newuse shadow fixed it. Is this a user error or is there something misconfiguring itself?
i doubt it's a user bug or a misconfiguration
(In reply to comment #11) > i doubt it's a user bug or a misconfiguration Yeah, not us...or at least, not something we've done to ourselves. Users who have not twiddled their config files are reporting this at forums.g.o. I have the same issue and haven't touched any of the configuration files from pambase or shadow - or any other config files for that matter, from the stage3-2008.0-amd64 tarball. emerge --info Portage 2.1.4.5 (default/linux/amd64/2008.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.25-gentoo-r7 x86_64) ================================================================= System uname: 2.6.25-gentoo-r7 x86_64 Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz Timestamp of tree: Sun, 07 Dec 2008 15:45:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.4.4-r13, 2.5.2-r7 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.4.6-r1 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=nocona -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=nocona -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.osuosl.org/ " LDFLAGS="-Wl,-O1" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="X acl alsa amd64 bash-completion berkdb bzip2 cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread fortran gdbm gnome gpm gtk hal iconv imlib ipv6 isdnlog java jpeg midi mmx mp3 mudflap multilib ncurses nls nptl nptlonly ogg openmp oss pam pcre perl pppd python readline reflection ruby session spell spl sse sse2 ssl startup-notification sysfs tcpd truetype unicode vim vim-syntax xinerama xorg xscreensaver zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="vmware" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY ---- sys-apps/pambase-20080318 sys-auth/shadow-4.0.18.2
maybe this --- a/src/login.c +++ b/src/login.c @@ -724,7 +724,7 @@ int main (int argc, char **argv) failent_user = "UNKNOWN"; } - if (retcode == PAM_MAXTRIES || failcount >= retries) { + if (retcode == PAM_MAXTRIES || failcount > retries) { SYSLOG ((LOG_NOTICE, "TOO MANY LOGIN TRIES (%d)%s FOR '%s'", failcount, fromhost, failent_user));
*** Bug 303167 has been marked as a duplicate of this bug. ***
*** Bug 305971 has been marked as a duplicate of this bug. ***
(In reply to comment #13) > maybe this > > --- a/src/login.c > +++ b/src/login.c > @@ -724,7 +724,7 @@ int main (int argc, char **argv) > failent_user = "UNKNOWN"; > } > > - if (retcode == PAM_MAXTRIES || failcount >= retries) { > + if (retcode == PAM_MAXTRIES || failcount > retries) { > SYSLOG ((LOG_NOTICE, > "TOO MANY LOGIN TRIES (%d)%s FOR '%s'", > failcount, fromhost, failent_user)); > A valiant try, but this does not fix the underlying issue, try this: 1) False username (username does not exist) / wrong password (does not matter) 2) Correct username / wrong password 3) Correct username / wrong password 4) Correct username / correct password Using sys-apps/shadow-4.1.2.2 + your patch this prints the following: "Maximum number of tries exceeded (4)" However I did not change the maximum number of retries, it is still set to 3. Please fix this ASAP, this is an ancient bug (I've seen reports dating back to 2007), with numerous duplicates. It looks just plain sloppy and unprofessional to have such an elementary bug in your login-code... Note that I tried to report this bug upstream too, but my account creation at alioth (https://alioth.debian.org) seems to fail. It think it would be beneficial if someone could please try to get upstreams attion on this too.
Can we at least properly assign this bug to someone so that he/she remains aware of it? Currently the bug is assigned to the 'PAM Gentoo Team', but the bug's status is still 'NEW', not 'ASSIGNED'.
it is properly assigned. either contribute a fix or wait for someone.
This seems to be fixed. Can anyone confirm?
nshulman@nvsasus:~ $ equery -q l sys-apps/shadow [I--] [ ] sys-apps/shadow-4.1.4.2-r4 (0) nshulman@nvsasus:~ $ equery u sys-apps/shadow | grep pam +pam nshulman@nvsasus:~ $ sudo login nvsasus login: joe Password: Login incorrect nvsasus login: nshulman Password: Login incorrect nvsasus login: nshulman Password: Login incorrect nvsasus login: nshulman Password: Last login: Mon Jul 19 11:20:09 EDT 2010 on pts/7
(In reply to comment #19) > This seems to be fixed. Can anyone confirm? > I can confirm that I can now properly login on the third try.
Also looks fixed to me, feel free to close
thanks for following up guys. we'll assume the bug was fixed with the recently stabilized shadow 4.1.4.2.
*** Bug 335654 has been marked as a duplicate of this bug. ***
