# Very dangerous error in tty terminal !

Hi. I confronted by a sever issue in tty terminal. I suffer from it since I was on Fedora 24 & 26 ! It is still existing in Fedora 28

Moreover, during my examination for issue in it's last occusion today, I noticed the following:

• I reboot my PC to do clean test,
• I switched to tty terminal,
• I enter my user name,
• immediately started to type password wrongly to reproduce bug,
• I clicked enter,
• I did not enter any thing this time & wait till end of time factor where I switched to enter user name again,
• I entered user name,
• then as quick as possible I entered password when asked for this (but this time I entered correct password),
• I clicked enter,
• and I faced with disaster: field for password changed to that user name & password was decrypted ( appeared as clear text) because it recognized as the user name !, & bellow that I saw message said: failed attempt for login, wrong password !

From my side I'm already opened bug in Redhat bugzilla but no replay though I put it as "critical" ! Please see"

https://bugzilla.redhat.com/show_bug....

As you see in link, I select a wrong "component" (Terminal: which an XFCE terminal emulator) just to to post bug ! I searched for "tty terminal", "virtual terminal" but did not find them ! Any one can give me the correct "component" to be able to edit it in bug ?

edit retag close merge delete

! The worst thing is that parts of password that I typed in 2 trail (1st 2 characters) will decrypted & appear unhidden ! This is very dangerous !

Does this also happen if you wait for the prompt to appear?

( 2018-07-08 02:18:27 -0500 )edit

"Critical" is no guarantee that someone will have a look at it, sorry. You may try the "security sensitive bug" checkbox next time when you think this is a security sensitive issue.

( 2018-07-08 02:25:37 -0500 )edit

@genodeftest Hello ! I have only few occasional use of Ask Fedora. For that I do not know all it's aspect. You now bring my attention for this option "security sensitive bug" Thank you!

( 2018-07-08 05:23:44 -0500 )edit

Sort by » oldest newest most voted

more

Many thanks ! You are correct ! I tried along previous 1/2 hr to reproduce issue but I failed ! I did as you tried: enter wrong password.

I do not know what I have to say ? All these years I was not recognizing that "tty terminal never allow to type password for 2nd time if type it wrongly in 1st time" ! I'm very sorry ! I will close bug in bugzilla & apologize for them !

( 2018-07-07 03:50:48 -0500 )edit

And unix worked like that long before linux came along.

( 2018-07-07 06:21:37 -0500 )edit

A worse issue is if some program is stealing focus while typing in a password in a gui window.

( 2018-07-07 06:25:10 -0500 )edit

Furtuantly I did not close this thread because I notice some thing (not bug) but I need to modify setting to avoid it. I noticed that the default time for enter password (which is 60 seconds) will divided on all attempts to enter password before end 60 seconds, & this was responsible for decryption of my passwords that I suffered in past. I will use answer to explain because space here not enough.

( 2018-07-08 00:52:02 -0500 )edit

Oddly enough, the man page says that by default, you're allowed three retries on a bad password, unless overridden in /etc/login.defs but the program now seems to default to zero retries. If so, the documentation needs to be updated.

( 2018-07-08 02:21:31 -0500 )edit

Today, I tried tty terminal to upgrade.

I entered my user name, then immediately I started to type my password. Since it is new password I set it just few days due to decryption my previous password, it is not sticky in my memory & for that I entered it incorrectly. I received message "incorrect password" then field to re-enter user name re-appeared. Here I entered my user name, then field of password appeared, & I started to re-type my password. Here is the issue: BEFORE end of 60 seconds while I'm typing password, field of password disappeared & field to re-enter user name appeared ! I was lucky, because my eyes were alternatively shift from & to terminal to detect any error, so I stopped from typing my password & by this not decrypt it as in previous history.

I indestigate this & found the following (not bug but system setting):

The default 60 seconds for typing of password of account will divided over attempts for that till end of total 60 seconds, before you receive 2nd 60 seconds !

If you enter your user name (for 1st time) system started to countdown 60 seconds. If you entered password incorrectly within let we say 20 seconds (counting from click enter for user name), then you will have ONLY 40 seconds to BOTH re-enter user name again then password (this mean you will have less than 60 seconds to enter account password for 2nd trail !)

To avoid the above scenario, you have - if you enter password incorrectly in 1st trail - you have to wait till remaining 60 seconds to end. At end of remaining of 60 seconds (counting for 60 seconds from time of click enter for user name for 1st time), tty terminal reset as it was opened for 1st time (all characters of previous 1st trail will disappear from screen). Now you will see prompt to enter user name (at top of screen without previous attempts above it). Now you will get FULL 60 seconds to enter password (counting from click enter for user name).

I used a timer to examine this behaviour.

I'm sure it is system configuration & not a bug. But it is annoying if you use very complex long password ! I want to change this behavior making "infinite" time for typing password. Any help please ?

@sideburns can you help further ? You are expert with Linux. Do you know how to: - make tty terminal wait for infinite time for typing password or, - at lest increase this time for 2 minutes or, - NOT to divide it over attempts that done before end of default time (I mean if I failed from 1st attempt & try again before end of default 60 second, then it will give me FULL 60 seconds not less than 60 seconds). This seem the best solution - if possible.

more

I'm not an expert -- an expert has nothing left to learn, and I'd not claim that -- but I'd guess that you'd need to edit /etc/login.defs and add something like LOGIN_TIMEOUT=30 and save it, but don't exit. Then switch to a different console, try to log in with a bad password and see what happens. This way, if you don't like the results, you can always come back to your main session and change (or remove) the new line.

( 2018-07-08 02:28:17 -0500 )edit

@sideburns Dear: 1) even if I add this line, let we say with value of 240 (3 minutes), what about the issue of division of value (240 seconds or what ever elso we select) over trails that done before end of this value (say 240 sec) ? Say I add this line (with 240 sec), then I entered incorrect password over 1 minutes, then when I will asked for user name & password again I will have only 2 minutes (120 sec) NOT 240 seconds ! This is seam to be main issue. I was not totally misinterpreted screen .......

( 2018-07-08 05:14:32 -0500 )edit

@sideburns: 2) regarding LOGIN_TIMEOUT=VALUE, what is maximum allowed value ? 3) can I set it at infinite ? If yes, what is the value that I should used for achieving this ? 4) is there a security risk from making timeout longer ? 5) if I added this line, then do I need to re-add it after I upgrading my system to next version of Fedora or not ? In this regard, I edit dnf.conf file to set at fastest mirror, but after upgrade from Fedora 26 to 28, is still set on fastest mirror.

( 2018-07-08 05:19:56 -0500 )edit

All I know about how this works is what it says in the man page. If you want to find out what happens when you change things, experiment and find you for yourself. Personally, I'm quite happy with how things work by default and I'm not interested in trying to fix things that aren't broke.

( 2018-07-08 15:47:35 -0500 )edit

## Stats

Seen: 251 times

Last updated: Jul 08 '18