Yeah also try setting another wallpaper for Breath2 theme or clear it using respective Systemsettings module.
My message above updated with more details how it has gone from “can’t reproduce” to “OHSHI~”
1 Like
It is a known issue to KDE developers. That is why the Breeze theme is not having that button. So it is recommended for now to hide that button as a workaround. However, people who know how to modify settings can unhide the password after all. Hence we don’t install Wayland session by default.
1 Like
Ok, that in itself is an issue, and i was able to reproduce on Arch install. Worse than that, with multiple users, the TTY1 is hold on for the TTY2 session for first user, the TTY3 is hold on for the session displayed on TTY4 for second user, and both show the password with the number of characters the password has.
For me the issue seems to be SDDM.
It works with VBox too, but my Manjaro installs only show black screen no matter what, even on native install.
It has to edit the theme.
Why the issue on the sddm's github page (linked in initial post) is still open with no emergency patch applied?
Is it that hard to clear a text field after password check to prevent one of severest vulnerabilities? That functionality is already present if to enter wrong password and hit Enter: the field got cleared after this. So it nothing to develop, it is just re-use an already existing functionality only.
It is a single line code fix - just to import and to call that already written function only. Why still no fix from sddm developers and to issue of emergency update? I shocked.
Probably the issue was poor described with no details provided, for example exact steps to reproduce.
Could we try to issue our fix according to the How a user's password can be viewed in SDDM after logging into a Plasma Wayland session · Issue #1463 · sddm/sddm · GitHub suggestion?
I know it is bad idea to patch in downstream levels only (by each downscream software authors), but just in case if text field cleanup will take years to fix in original repo. It is already 11 days opened with no easy visible tries to fix (but may be it is a vacation or illness, I really hope it is the first variant only).
Somebody, please help: please provide a pull request with those changes How a user's password can be viewed in SDDM after logging into a Plasma Wayland session · Issue #1463 · sddm/sddm · GitHub
@linux-aarhus
just did exactly the same thing for Breath2 theme:
3 Likes
This alone is not enough, SDDM greeter needs a patch too.
1 Like
It’s not a greeter but a default theme. If somebody use it of course it’s worth it to fix it there also.
Ah OK I haven’t dug that deep.
However I tried to apply exactly what you did here locally on my laptop and I still can see my password after login and switching to SDDM screen when using Breath2 theme…
There should be something else done or this approach simply doesn’t work in the first place.
I can’t see the greeter after login so I don’t know how I can debug it
Why the idea to fix “only for me” / for current usage scenario should be preferred over general vulnerability fix, not a single aspect of one case only?
To fix severe vulnerabilities only-for-me/for certain case/usage scenario is awful idea to implement. The git’s post suggests to do it in three places.
Because it’s temporary solution.
I personally don’t want to dive into sddm code and check how to run wayland on the same tty as sddm greeter.
1 Like
Fast mitigation. Got it. Agree. Thank you!
Well done for this one theme.
This should however be upstreamed so it’s available in general.
1 Like
If I understand this correct - in essense - it is not sddm itself - but the themes which should remove the password on succesful login.
It makes sense - at least from a developer perspective - as sddm is drawing the theme.
If the theme provides an option to show the password then sddm has no knowledge of the password being revealed - it then stands to reason the theme also removes the password on success.
The question is only if the fix work or not, as those who provide the fix can’t reproduce the issue at all on their machines. So it needs to. Be verified by the user who has the issue.
Also we should check if the change needs a recompile of the theme or if I this text and works on reboot.
1 Like
I also cannot see the greeter after login if I have my external monitor connected. Bu if I unplug it and then login using only my laptop’s display, then I see this issue.
1 Like
Well I don’t have a second monitor and also can’t see the greeter in a VM.
I tested this using sddm from git and changes suggested in the issue thread, also applied changes made by @LordTermor
Still this nasty bug present.
I quit using Breath2 theme until further ideas. Maldives and Breeze are quite pretty, too.
Not that I used Breath2 or its password reveal button or Wayland in general before, but anyway…