A user account with a password set is allowed to log in without the password

[LinuxOnTheDesktop]

1. I have an existing user account called 'present'.
2. I changed that user's password using the 'passwd' tool.
3. Using a tty shows that the new password is set. (If and only if I enter that password can I login with 'present' at the tty.)
4. The greeter does not require the password - it logs me as soon as I click on the username,

So far I can tell, the greeter is not set to login 'present' automatically:

This problem seems to be a security vulnerability. But I see no option here for private reporting.

EDIT: I did, before opening this issue, discuss the problem on the Mint forum. But no light seemed to be shed there on the problem.

[timfeierabend]

Which distro and kernel version are you using?

[leigh123linux]

Basic info not provided.

[LinuxOnTheDesktop]

I was using whatever version of Mint 22 - 22.0, I think - and, probably - a 6.8 kernel. You ask me some five months after the fact, and you close the issue - for lack of information - after only twelve hours notice.

[timfeierabend]

@LinuxOnTheDesktop let me spin up various Mint 22.X VMs and try to re-create this issue.

Do you remember if the user account 'present' was the only account on the machine?

[LinuxOnTheDesktop]

@timfeierabend

Thank you.

There was more than one user account - one further account, I believe. I have not encountered the problem recently, but that might be for the following reason. I have found it hard to use more than one user account on Mint - because of:

• this serious security problem;
• logging off and then on again (even with the same account) sometimes makes the bamfdaemon and xdg-desktop-portal-gtk services fail (apparently with no consequence, but my Conkly watches for failined services; I can dig out details of the failure if you like);
• some programs, such as Plank (but not PlankReloaded?) fail after a logoff-and-logon (although one can use logoff scripts to work around that).

[leigh123linux]

• this serious security problem;

slick-greeter is just a GUI for lightdm. it doesn't handle the security side.
File your grievance at ubuntu bug tracker or directly upstream https://github.com/canonical/lightdm/issues

[LinuxOnTheDesktop]

@leigh123linux

Are you sure that the problem at issue owes to lightdm? (Compare this report - bearing the 'bug' label.)

If you are, would it be reasonable for slick-greeter to mitigate the problem? We don't want people logging in without passwords.