On 10/19/15, Ksamak <ksa...@hypra.fr> wrote: > > Actually, this bug seems to mostly appear when the following option is set: > [SeatDefaults] > greeter-hide-users=false > This is mainly used to have the "main" user directly written in the > first field, so as not to retype it every boot. > > So when you have this option activated, the focus is directly put on the > password field, and then the bug appears. > if the user circles through the fields once, with tab, then back on the > password field, the bug disappears. > > I've seen it appear as well when two users are set-up on the system, but > i'm not sure about the exactness of my reproduce steps, so i'll try > again if people find the bug Could Not Reproducable > > I can make available a VM with the bug appearing at boot, for tests > (3.6Gb) > lightdm version 1.10.3-3, jessie current.
I THINK this is only my second bug I've tried to assist with so I didn't want to be the participant who keeps responding to herself. Just as soon as I offered up my previous observation re the possibility of toggling password masking on and off, I found the following pre-existing bug: Bug #736964; Dated January 28, 2014 Bug Title: [lightdm] Password is shown in cleart text while typing https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736964 The extremely short synopsis is that, exactly as Ksamak shared here in this current bug report, "greeter-hide-users=false" was determined to be at least one culprit. The ultimate outcome at the end of that bug report is it appears to have possibly been determined to be a Launchpad responsibility. Because lightdm is so small, I was able to download both the source and the .deb archive file just to nose around to see if I could help you all further. I don't know the ultimate default outcome during installation of either of those versus the other BUT..... * within the .deb archive file (the i386 version), /etc/lightdm/lightdm.conf references "greeter-hide-users=false". It's initially commented out, but I *presume* "false" is its default value if/when activated. Wondering out loud: Is it perhaps an option offered to users during the installation process? If it is, maybe it needs to be better described in some way at that moment so users fully understand the consequence of that particular user CHOICE. * the .xz compilable source file contains a file called 01_debian.conf which references "greeter-hide-users=true". That's the only place I found it in the .xz file after briefly extracting and then grepping for that variable. Its value is noticeably the absolute opposite of the same variable found in the .deb file. As you all have already determined, the value "true" definitely sounds the more secure screenreader related CHOICE. Am just sharing the above, particularly the previously reported bug, since the bug appears very similar so maybe there is something that was already addressed by Developers that could help short track Debian's fix. As has been discussed already, this is definitely a high security risk for Debian Users with visual impairments. I wish I understood Debian's inside coding more so I could be in there helping you all nail it down. Good luck! Cindy :) -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * runs with duct tape *
