USERID with whitespace [LDAP / GUI Login]
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ldap-auth-client (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
After switching to LDAP authentication last summer, we've noticed that if a user hits the space bar a couple of times before entering their username in a lightdm login screen, they still will be authenticated. This phenomenon also occurs if a user puts space at the end of their username. This could be a potential security issue.
After getting a desktop and typing last at the cmd line yields an example:
user1 :0 :0 Mon Apr 25 19:08 - 19:38 (00:29)
user2 :0 :0 Mon Apr 25 16:25 - 16:45 (00:19)
user3 :0 :0 Mon Apr 25 10:28 - 11:57 (01:29)
** Note the space before the user2 username.
The issue becomes where users run CLI programs where their $USER is taken into account. A workaround has been implemented in /etc/bash.bashrc which basically strips the whitespace, but it would be great if we could prevent them (don't accept) from putting in the space to begin with. We've scoured ***/etc/
information type: | Private Security → Public |
information type: | Public → Public Security |
information type: | Public Security → Public |
information type: | Public → Public Security |
information type: | Public Security → Public |