GNOME Bugzilla – Bug 708846
RFE: Provide (off by default) feature for showing notification at start up about recent login failures/successes.
Last modified: 2019-03-20 11:12:47 UTC
I enter my password, and while I wait to log in, I see messages displayed below the password field. They say things like "There was 1 failed login attempt since last time". It looks bad, and it will also be disturbing for people. It looks like someone has been trying to hack your account.
This is a fedora change. I got reverted in time for f19, but it snuck back in for f20.
also see bug 694688
As bug 694688 points out, the login screen isn't a good place for these messages - since it would imply delaying login long enough for them to be read. A better approach would be to show the information in a notification after login has taken place. That said, while it is fine to provide this for deployments that require it, I don't think it makes sense to have it on by default.
repurposing this bug for the suggested change and retitling for clarity. Reassigning to gnome-settings-daemon, since it's a post-login feature, and probably best implemented there.
Removing the 3.10.1 whiteboard, this isn't going to land in 3.10.
Some more context for this feature: display of last login details are a requirement for some US government deployments, as described in AC-9 of SP 800-53 [1]. According to these requirements, there are a few things we have to do when the feature is turned on: * Display number of unsuccessful login attempts since last successful login. * Display the time and date of the last successful login. * Require that the user explicitly dismisses this information. I think that the best way to do this is with a critical notification that is shown immediately after login. This would have the heading: "x unsuccessful login attempts since last login" With the body text: "Last successful login was on <date> at <time>." [1] http://dx.doi.org/10.6028/NIST.SP.800-53r4
What whould the notification say if there were no unsuccessful login attempts ? Maybe just 'Welcome back, Allan!' ?
Or "No unsuccessful login attempts since last login" - to reinforce the cases where there are erroneous login attempts.
One thing to get clarification on is whether they really want to see the time since the last *sign in* or the last account activity which is *sign out*. For example, if you sign in and stay active for a month and sign out today it is weird to see last sign in: August. If we are just checking of boxes here I guess we go with what the letter of the law is. We can always show more information in the account history in Account Settings. I wouldn't use the term successful in the message because it is redundant. I like Matthias' idea to humanize the messages. primary: "Welcome back" secondary: "Last signed in on Aug 28 at 1:14 PM." secondary2: "With 5 unsuccessful attempts since then." Actions: OK, Show Details I would use a "friendly" date and time format, if possible. We might want to leave off the name from the subject because it is hard to get a good informal name for the user. If there have not been unsuccessful attempts I would just skip it.
One thing to be clear about - the last login information only needs to be displayed after login itself (ie. session start). We don't need to do this when unlocking. (In reply to comment #9) > One thing to get clarification on is whether they really want to see the time > since the last *sign in* or the last account activity which is *sign out*. For > example, if you sign in and stay active for a month and sign out today it is > weird to see last sign in: August. > > If we are just checking of boxes here I guess we go with what the letter of the > law is. We can always show more information in the account history in Account > Settings. I've checked, and it seems that the requirement only mentions time and date of last login. I agree that this isn't the most helpful piece of information to display, but it seems to be what they want. > I wouldn't use the term successful in the message because it is redundant. Agree. > I like Matthias' idea to humanize the messages. > > primary: "Welcome back" > secondary: "Last signed in on Aug 28 at 1:14 PM." > secondary2: "With 5 unsuccessful attempts since then." > > Actions: OK, Show Details > > I would use a "friendly" date and time format, if possible. We might want to > leave off the name from the subject because it is hard to get a good informal > name for the user. > > If there have not been unsuccessful attempts I would just skip it. Sounds good.
bug 709308 has a patch to add an option to open the history dialogue in the user accounts panel.
Filed: https://bugs.freedesktop.org/show_bug.cgi?id=70052 About getting the API to get login failures from accounts service.
Created attachment 256328 [details] test.c A stand-alone application. With the new notification, we might not even need to let the application running for gnome-shell to still be able to act up on it. I think having it in a separate startup application, not in g-s-d, means that we avoid popping up the notification when g-s-d crashes or restarts. It also means that it's easily backportable/installable when needed.
(In reply to comment #13) > Created an attachment (id=256328) [details] > test.c > > A stand-alone application. With the new notification, we might not even need to > let the application running for gnome-shell to still be able to act up on it. > > I think having it in a separate startup application, not in g-s-d, means that > we avoid popping up the notification when g-s-d crashes or restarts. It also > means that it's easily backportable/installable when needed. Just to be clear - you're proposing that, when the "last login" feature is on, the control center's history dialog should be launched when the user logs in?
(In reply to comment #14) > (In reply to comment #13) > > Created an attachment (id=256328) [details] [details] > > test.c > > > > A stand-alone application. With the new notification, we might not even need to > > let the application running for gnome-shell to still be able to act up on it. > > > > I think having it in a separate startup application, not in g-s-d, means that > > we avoid popping up the notification when g-s-d crashes or restarts. It also > > means that it's easily backportable/installable when needed. > > Just to be clear - you're proposing that, when the "last login" feature is on, > the control center's history dialog should be launched when the user logs in? Absolutely not. The test app is attached to this bug. It would stay in a separate small login app. The "show details" button would launch the history dialogue in user-accounts panel with all the details.
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/gnome-settings-daemon/issues/228.