Comment 18 for bug 411559

The question is: which upstream (or which package) should it go into? This message comes from PAM, which sets it according when an authentication module returns PAM_AUTH_ERR from pam_sm_authenticate(). In the case of a bad password, this is the pam_unix module. The problem is, this module can also fail because the account has expired, or other reasons like that. And the PAM API doesn't allow the module to pass more information.

So it seems that without changing the PAM API, which would create compatibility issues, we can't get the real reason of the auth failure. Changing the string to something like "Wrong password" would work for most cases, but would be highly misleading if the reason is different (e.g. disabled account, or if something is going wrong in the setup of PAM). In particular, for Ubuntu server, it would be silly.

Maybe (maybe...) it would be possible to get the message printed directly to the console by the module, and see whether it contains "password". This kind of ugly hack could go into PAM, or into GDM/PolicyKit/gnome-screensaver, but upstreams generally don't really like this kind of solution.