Arch Linux

Description:
LOG_UNKFAIL_ENAB is supposed to disable logging unknown usernames in /var/log/btmp and syslog, as a safety measure "if an user enter her password instead of her login name." (quote from `man login.defs`) This setting defaults to "no" upstream and in Arch. Unfortunately it doesn't work on Arch; usernames get logged anyway.

Additional info:
* util-linux 2.31.1-1
* pam 1.3.0-1
* shadow 4.5-4
* coreutils 8.29-1
* libsystemd 237.64-1
* libcap-ng 0.7.8-1
* libutil-linux 2.31.1-1
* stock configuration (can repro on clean install)

I don't know if this ever worked. I can confirm the FAIL_DELAY setting is respected, so the file isn't being completely ignored.

Reason for marking "High": Wiki says "less critical security issues" fall under this bucket, but this is arguably a low priority issue.

Steps to reproduce:
* Install Arch from a clean slate (just to confirm it wasn't something about my setup)
* Log in using a bogus username in a VT, which will fail (below example uses `BOGUS_USERNAME`)
* See your username in /var/log/btmp or `journalctl | grep FAILURE`

```
Mar 10 16:01:37 jing login[10610]: pam_tally(login:auth): pam_get_uid; no such user
Mar 10 16:01:38 jing login[10610]: pam_unix(login:auth): check pass; user unknown
Mar 10 16:01:38 jing login[10610]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty3 ruser= rhost=
Mar 10 16:01:40 jing login[10610]: FAILED LOGIN 1 FROM tty3 FOR BOGUS_USERNAME, Authentication failure
Mar 10 16:01:42 jing login[10610]: pam_securetty(login:auth): unexpected response from failed conversation function
Mar 10 16:01:42 jing login[10610]: pam_securetty(login:auth): cannot determine username
Mar 10 16:01:42 jing login[10610]: pam_nologin(login:auth): cannot determine username
```

Research I've done:
The code using LOG_UNKFAIL_ENAB seems pretty straightforward: https://github.com/karelzak/util-linux/blob/v2.31.1/login-utils/login.c#L755
```
if (rc == PAM_USER_UNKNOWN && !show_unknown)
/*
* Logging unknown usernames may be a security issue if
* a user enters her password instead of her login name.
*/
cxt->username = NULL;
else
loginpam_get_username(pamh, &cxt->username);

syslog(LOG_NOTICE,
_("FAILED LOGIN %u FROM %s FOR %s, %s"),
failcount, hostname,
cxt->username ? cxt->username : "(unknown)",
pam_strerror(pamh, rc));
```

Based on the logging of "Authentication failure" for `pam_strerror(pamh, rc)`, it seems PAM is giving us PAM_AUTH_ERR instead of PAM_USER_UNKNOWN.
```
case PAM_AUTH_ERR:
return _("Authentication failure");
```

Ubuntu (clean install of 16.04.4) correctly censors the username:
```
Mar 10 14:20:33 test-VirtualBox login[1380]: pam_unix(login:auth): check pass; user unknown
Mar 10 14:20:33 test-VirtualBox login[1380]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Mar 10 14:20:35 test-VirtualBox login[1380]: FAILED LOGIN (1) on '/dev/tty1' FOR 'UNKNOWN', Authentication failure
```

I suspect this has something to do with Arch's configuration of PAM in /etc/pam.d, though I don't have much knowledge of how PAM works. I could definitely be guessing incorrectly here.