Multiple errors on wrong password

[gngram]

If user enters wrong password to unlock, gtklock tries to re-authenticate using old wrong password which result the errors. This patch stops the re-authentication if authentication fails.

[jovanlanik]

I can't replicate the issue.

Jan 05 15:17:41 [unix_chkpwd] password check failed for user (lanikjo)
Jan 05 15:17:41 [gtklock] pam_unix(gtklock:auth): authentication failure; logname=lanikjo uid=1000 euid=1000 tty= ruser= rhost=  user=lanikjo

I'm not sure how the code in the PR is supposed to work. The PAM_ERROR_MSG case should not be reached if you enter the wrong password.
Can you provide more detail about the issue, your pam configuration and explain exactly how this code is supposed to fix the issue?

[gngram]

When I enter wrong password, it hits PAM_ERROR_MSG and then PAM_PROMPT_ECHO_ON.
In case PAM_PROMPT_ECHO_ON, it duplicates the old password. And then again it fails.
This repeats five times so five errors are seen on lock screen before final pam_authenticate failure.
I think in ECHO_ON case it should get fresh password to continue the authentication.
I will share pam configuration, detailed logs and errors.

[gngram]

Analysis summary:

I used gtklock with some debug prints:

master...gngram:gtklock:debug

When I enter wrong password to unlock the screen, I see multiple error messages on screen (screen shot below):

Journalctl logs:

Jan 06 09:59:32 gui-vm gtklock[1289]: pam_systemd_home(gtklock:auth): New sd-bus connection (system-bus-pam-systemd-home-1289) opened.
Jan 06 09:59:45 gui-vm gtklock[1289]: pam_systemd_home(gtklock:auth): Failed to acquire home for user ganga: Password for home ganga is incorrect or not sufficient for authentication.
Jan 06 09:59:45 gui-vm unix_chkpwd[1323]: check pass; user unknown
Jan 06 09:59:45 gui-vm unix_chkpwd[1323]: password check failed for user (ganga)
Jan 06 09:59:45 gui-vm gtklock[1289]: pam_unix(gtklock:auth): authentication failure; logname=ganga uid=1000 euid=1000 tty= ruser= rhost=  user=ganga
Jan 06 09:59:47 gui-vm swayidle[1289]: GTKLOCK-conversation----ECHO_ON/OFF
Jan 06 09:59:47 gui-vm swayidle[1289]: GTKLOCK-conversation----ERROR
Jan 06 09:59:47 gui-vm swayidle[1289]: GTKLOCK-conversation----ECHO_ON/OFF
Jan 06 09:59:47 gui-vm swayidle[1289]: GTKLOCK-conversation----ERROR
Jan 06 09:59:47 gui-vm swayidle[1289]: GTKLOCK-conversation----ECHO_ON/OFF
Jan 06 09:59:47 gui-vm swayidle[1289]: GTKLOCK-conversation----ERROR
Jan 06 09:59:47 gui-vm swayidle[1289]: GTKLOCK-conversation----ECHO_ON/OFF
Jan 06 09:59:47 gui-vm swayidle[1289]: GTKLOCK-conversation----ERROR
Jan 06 09:59:47 gui-vm swayidle[1289]: GTKLOCK-conversation----ECHO_ON/OFF
Jan 06 09:59:47 gui-vm swayidle[1289]: GTKLOCK-conversation----ERROR
Jan 06 09:59:47 gui-vm swayidle[1289]: GTKLOCK-conversation----ECHO_ON/OFF

Journalctl log for correct password case:

With correct password it works fine as expected.

Jan 06 10:02:10 gui-vm gtklock[1623]: pam_systemd_home(gtklock:auth): New sd-bus connection (system-bus-pam-systemd-home-1623) opened.
Jan 06 10:02:11 gui-vm gtklock[1623]: pam_systemd_home(gtklock:auth): Home for user ganga successfully acquired.
Jan 06 10:02:11 gui-vm swayidle[1623]: GTKLOCK-conversation----ECHO_ON/OFF

PAM configuration:

[ganga@gui-vm:~]$ cat /etc/pam.d/gtklock 
# Account management.
account sufficient /nix/store/fmp5cfb3bf0185prqjsf477n8pqr9ykv-guivm-systemd-256.7/lib/security/pam_systemd_home.so # systemd_home (order 10800)
account required /nix/store/73wvk8fiijn56769hzhn7r0nplwy9v9i-linux-pam-1.6.1/lib/security/pam_unix.so # unix (order 10900)

# Authentication management.
auth sufficient /nix/store/ywzckxcb3lzrvfc6x65xp0jvsz64150j-pam_u2f-1.3.0/lib/security/pam_u2f.so authfile=/nix/store/pg57dnvjjd3h90na3jch9dhv6h1kkbmv-u2f_mapping cue # u2f (order 10900)
auth sufficient /nix/store/pcapcscha3wmx00jmk5m7n8pp1zm8y4w-fprintd-1.94.4/lib/security/pam_fprintd.so # fprintd (order 11400)
auth sufficient /nix/store/fmp5cfb3bf0185prqjsf477n8pqr9ykv-guivm-systemd-256.7/lib/security/pam_systemd_home.so # systemd_home (order 11500)
auth sufficient /nix/store/73wvk8fiijn56769hzhn7r0nplwy9v9i-linux-pam-1.6.1/lib/security/pam_unix.so likeauth try_first_pass # unix (order 11600)
auth required /nix/store/73wvk8fiijn56769hzhn7r0nplwy9v9i-linux-pam-1.6.1/lib/security/pam_deny.so # deny (order 12400)

# Password management.
password sufficient /nix/store/fmp5cfb3bf0185prqjsf477n8pqr9ykv-guivm-systemd-256.7/lib/security/pam_systemd_home.so # systemd_home (order 10100)
password sufficient /nix/store/73wvk8fiijn56769hzhn7r0nplwy9v9i-linux-pam-1.6.1/lib/security/pam_unix.so nullok yescrypt # unix (order 10200)

# Session management.
session required /nix/store/73wvk8fiijn56769hzhn7r0nplwy9v9i-linux-pam-1.6.1/lib/security/pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
session required /nix/store/73wvk8fiijn56769hzhn7r0nplwy9v9i-linux-pam-1.6.1/lib/security/pam_unix.so # unix (order 10200)
session required /nix/store/fmp5cfb3bf0185prqjsf477n8pqr9ykv-guivm-systemd-256.7/lib/security/pam_systemd_home.so # systemd_home (order 10500)
session required /nix/store/73wvk8fiijn56769hzhn7r0nplwy9v9i-linux-pam-1.6.1/lib/security/pam_limits.so conf=/nix/store/rcqn97cfcddcp2kmcpznc6j37r1v33cp-limits.conf # limits (order 12200)

Please let me know if I am missing anything.

[gngram]

I referred this:
https://docs.oracle.com/cd/E19253-01/816-4863/emrbk/index.html

In conversation method for ECHO_ON case they take fresh password from user.
For user login we are using greetd, in wrong password case we see only login failed error.
They also take fresh password in ECHO_ON case:

https://github.com/kennylevinsen/greetd/blob/e74e2bfc79f44ff00011dc9cc08ba89d9af9b17a/greetd/src/pam/ffi.rs#L31

In the patch, instead of getting fresh password, I have stopped conversation by throwing error which causes pam_authentication failure. The failure is well handled by window.c: window_pw_wait()

Otherwise we can take fresh password in ECHO_ON case but it will require many changes.