Ask Your Question
0

Very dangerous error in tty terminal !

asked 2018-07-07 01:18:41 -0500

nokia808 gravatar image

Hi. I confronted by a sever issue in tty terminal. I suffer from it since I was on Fedora 24 & 26 ! It is still existing in Fedora 28

When I switched to tty terminal it asked me for user name. I enter it. Then it asked me to enter password of that account & here is the issue: if I enter wrong password (because I'm human & vulnerable for error) it will say it is wrong & will ask to enter password again. When, immediately, I try to re-enter password again, then before complete the typing of password ( in fact just after typing 2 characters from my long password) I will confronted by changing field for password into filed for user name ! The worst thing is that parts of password that I typed in 2 trail (1st 2 characters) will decrypted & appear unhidden ! This is very dangerous !

Moreover, during my examination for issue in it's last occusion today, I noticed the following:

  • I reboot my PC to do clean test,
  • I switched to tty terminal,
  • I enter my user name,
  • immediately started to type password wrongly to reproduce bug,
  • I clicked enter,
  • I, then, received message said wrong password & asked to try again,
  • I did not enter any thing this time & wait till end of time factor where I switched to enter user name again,
  • I entered user name,
  • then as quick as possible I entered password when asked for this (but this time I entered correct password),
  • I clicked enter,
  • and I faced with disaster: field for password changed to that user name & password was decrypted ( appeared as clear text) because it recognized as the user name !, & bellow that I saw message said: failed attempt for login, wrong password !

From my side I'm already opened bug in Redhat bugzilla but no replay though I put it as "critical" ! Please see"

https://bugzilla.redhat.com/show_bug....

As you see in link, I select a wrong "component" (Terminal: which an XFCE terminal emulator) just to to post bug ! I searched for "tty terminal", "virtual terminal" but did not find them ! Any one can give me the correct "component" to be able to edit it in bug ?

edit retag flag offensive close merge delete

Comments

! The worst thing is that parts of password that I typed in 2 trail (1st 2 characters) will decrypted & appear unhidden ! This is very dangerous !

Does this also happen if you wait for the prompt to appear?

genodeftest gravatar imagegenodeftest ( 2018-07-08 02:18:27 -0500 )edit

"Critical" is no guarantee that someone will have a look at it, sorry. You may try the "security sensitive bug" checkbox next time when you think this is a security sensitive issue.

genodeftest gravatar imagegenodeftest ( 2018-07-08 02:25:37 -0500 )edit

@genodeftest Hello ! I have only few occasional use of Ask Fedora. For that I do not know all it's aspect. You now bring my attention for this option "security sensitive bug" Thank you!

nokia808 gravatar imagenokia808 ( 2018-07-08 05:23:44 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted
1

answered 2018-07-07 02:33:34 -0500

sideburns gravatar image

Welcome to ask.fedora! Just to check, I just swapped over to a different console and tried to log in using my regular username and the wrong password. There was a slight pause, then it told me that my login was incorrect and it went back to the beginning of the login process and asked me for my username, just as I expected. I've been using Linux for over twenty years, and I've never seen a version that asked you to enter your password a second time if it wasn't right the first time. It sounds to me as though your system is doing exactly what it should, and you've just been misinterpreting the prompt that you get after you give it the wrong password. Next time you get your password wrong, take a moment to read the new prompt, and you'll see that I'm right.

edit flag offensive delete link more

Comments

Many thanks ! You are correct ! I tried along previous 1/2 hr to reproduce issue but I failed ! I did as you tried: enter wrong password.

I do not know what I have to say ? All these years I was not recognizing that "tty terminal never allow to type password for 2nd time if type it wrongly in 1st time" ! I'm very sorry ! I will close bug in bugzilla & apologize for them !

nokia808 gravatar imagenokia808 ( 2018-07-07 03:50:48 -0500 )edit

And unix worked like that long before linux came along.

villykruse gravatar imagevillykruse ( 2018-07-07 06:21:37 -0500 )edit

A worse issue is if some program is stealing focus while typing in a password in a gui window.

villykruse gravatar imagevillykruse ( 2018-07-07 06:25:10 -0500 )edit

Furtuantly I did not close this thread because I notice some thing (not bug) but I need to modify setting to avoid it. I noticed that the default time for enter password (which is 60 seconds) will divided on all attempts to enter password before end 60 seconds, & this was responsible for decryption of my passwords that I suffered in past. I will use answer to explain because space here not enough.

nokia808 gravatar imagenokia808 ( 2018-07-08 00:52:02 -0500 )edit

Oddly enough, the man page says that by default, you're allowed three retries on a bad password, unless overridden in /etc/login.defs but the program now seems to default to zero retries. If so, the documentation needs to be updated.

sideburns gravatar imagesideburns ( 2018-07-08 02:21:31 -0500 )edit
0

answered 2018-07-08 01:22:09 -0500

nokia808 gravatar image

Today, I tried tty terminal to upgrade.

I entered my user name, then immediately I started to type my password. Since it is new password I set it just few days due to decryption my previous password, it is not sticky in my memory & for that I entered it incorrectly. I received message "incorrect password" then field to re-enter user name re-appeared. Here I entered my user name, then field of password appeared, & I started to re-type my password. Here is the issue: BEFORE end of 60 seconds while I'm typing password, field of password disappeared & field to re-enter user name appeared ! I was lucky, because my eyes were alternatively shift from & to terminal to detect any error, so I stopped from typing my password & by this not decrypt it as in previous history.

I indestigate this & found the following (not bug but system setting):

The default 60 seconds for typing of password of account will divided over attempts for that till end of total 60 seconds, before you receive 2nd 60 seconds !

If you enter your user name (for 1st time) system started to countdown 60 seconds. If you entered password incorrectly within let we say 20 seconds (counting from click enter for user name), then you will have ONLY 40 seconds to BOTH re-enter user name again then password (this mean you will have less than 60 seconds to enter account password for 2nd trail !)

To avoid the above scenario, you have - if you enter password incorrectly in 1st trail - you have to wait till remaining 60 seconds to end. At end of remaining of 60 seconds (counting for 60 seconds from time of click enter for user name for 1st time), tty terminal reset as it was opened for 1st time (all characters of previous 1st trail will disappear from screen). Now you will see prompt to enter user name (at top of screen without previous attempts above it). Now you will get FULL 60 seconds to enter password (counting from click enter for user name).

I used a timer to examine this behaviour.

I'm sure it is system configuration & not a bug. But it is annoying if you use very complex long password ! I want to change this behavior making "infinite" time for typing password. Any help please ?

@sideburns can you help further ? You are expert with Linux. Do you know how to: - make tty terminal wait for infinite time for typing password or, - at lest increase this time for 2 minutes or, - NOT to divide it over attempts that done before end of default time (I mean if I failed from 1st attempt & try again before end of default 60 second, then it will give me FULL 60 seconds not less than 60 seconds). This seem the best solution - if possible.

edit flag offensive delete link more

Comments

I'm not an expert -- an expert has nothing left to learn, and I'd not claim that -- but I'd guess that you'd need to edit /etc/login.defs and add something like LOGIN_TIMEOUT=30 and save it, but don't exit. Then switch to a different console, try to log in with a bad password and see what happens. This way, if you don't like the results, you can always come back to your main session and change (or remove) the new line.

sideburns gravatar imagesideburns ( 2018-07-08 02:28:17 -0500 )edit

@sideburns Dear: 1) even if I add this line, let we say with value of 240 (3 minutes), what about the issue of division of value (240 seconds or what ever elso we select) over trails that done before end of this value (say 240 sec) ? Say I add this line (with 240 sec), then I entered incorrect password over 1 minutes, then when I will asked for user name & password again I will have only 2 minutes (120 sec) NOT 240 seconds ! This is seam to be main issue. I was not totally misinterpreted screen .......

nokia808 gravatar imagenokia808 ( 2018-07-08 05:14:32 -0500 )edit

@sideburns: 2) regarding LOGIN_TIMEOUT=VALUE, what is maximum allowed value ? 3) can I set it at infinite ? If yes, what is the value that I should used for achieving this ? 4) is there a security risk from making timeout longer ? 5) if I added this line, then do I need to re-add it after I upgrading my system to next version of Fedora or not ? In this regard, I edit dnf.conf file to set at fastest mirror, but after upgrade from Fedora 26 to 28, is still set on fastest mirror.

nokia808 gravatar imagenokia808 ( 2018-07-08 05:19:56 -0500 )edit

All I know about how this works is what it says in the man page. If you want to find out what happens when you change things, experiment and find you for yourself. Personally, I'm quite happy with how things work by default and I'm not interested in trying to fix things that aren't broke.

sideburns gravatar imagesideburns ( 2018-07-08 15:47:35 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-07-07 01:18:41 -0500

Seen: 221 times

Last updated: Jul 08 '18