Possible security issue with delayed autologin

[pitsi]

Hello everyone. I am noticing the following behavior on my system and I would like your thoughts if it is considered a security issue or not.

I have a fresh (~1 month old) debian unstable x64 installation with lightdm 1.32, the gtk greeter, xfce and kodi. Like on my other system which runs the same, I have set up lightdm to autologin to whetever the default session is. On this one though, I have set a 30 second delay, because sometimes I want to login to kodi (via /usr/share/xsessions/kodi.desktop, a session that starts kodi as the desktop enviroment and nothing else). For that reason, I have changed these values on /etc/lightdm/lightdm.conf

autologin-user=pitsi
autologin-user-timeout=30

It works as it should, except for one little thing. If during that delay I type the username the relevant field, I press enter (so as to accept it) and then press the login button with the mouse, it logs in without asking for the password!
If it helps. this is what /var/log/lightdm/lightdm.log says

# cat /var/log/lightdm/lightdm.log
[+0.00s] DEBUG: Logging to /var/log/lightdm/lightdm.log
[+0.00s] DEBUG: Starting Light Display Manager 1.32.0, UID=0 PID=705
[+0.00s] DEBUG: Loading configuration dirs from /usr/share/lightdm/lightdm.conf.d
[+0.00s] DEBUG: Loading configuration from /usr/share/lightdm/lightdm.conf.d/01_debian.conf
[+0.00s] DEBUG: Loading configuration dirs from /usr/local/share/lightdm/lightdm.conf.d
[+0.00s] DEBUG: Loading configuration dirs from /etc/xdg/lightdm/lightdm.conf.d
[+0.00s] DEBUG: Loading configuration from /etc/lightdm/lightdm.conf
[+0.00s] DEBUG: Registered seat module local
[+0.00s] DEBUG: Registered seat module xremote
[+0.00s] DEBUG: Using D-Bus name org.freedesktop.DisplayManager
[+0.00s] DEBUG: Using cross-namespace EXTERNAL authentication (this will deadlock if server is GDBus < 2.73.3)
[+0.00s] DEBUG: _g_io_module_get_default: Found default implementation local (GLocalVfs) for ‘gio-vfs’
[+0.01s] DEBUG: Monitoring logind for seats
[+0.01s] DEBUG: New seat added from logind: seat0
[+0.01s] DEBUG: Seat seat0: Loading properties from config section Seat:*
[+0.01s] DEBUG: Seat seat0 has property CanMultiSession=no
[+0.01s] DEBUG: Seat seat0: Starting
[+0.01s] DEBUG: Seat seat0: Creating greeter session
[+0.01s] DEBUG: Seat seat0: Creating display server of type x
[+0.01s] DEBUG: Could not run plymouth --ping: Failed to execute child process “plymouth” (No such file or directory)
[+0.01s] DEBUG: Using VT 7
[+0.01s] DEBUG: Seat seat0: Starting local X display on VT 7
[+0.01s] DEBUG: XServer 0: Logging to /var/log/lightdm/x-0.log
[+0.01s] DEBUG: XServer 0: Writing X server authority to /var/run/lightdm/root/:0
[+0.01s] DEBUG: XServer 0: Launching X Server
[+0.01s] DEBUG: Launching process 714: /usr/bin/X :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
[+0.01s] DEBUG: XServer 0: Waiting for ready signal from X server :0
[+0.01s] DEBUG: Acquired bus name org.freedesktop.DisplayManager
[+0.01s] DEBUG: Registering seat with bus path /org/freedesktop/DisplayManager/Seat0
[+0.02s] WARNING: Error getting user list from org.freedesktop.Accounts: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Accounts was not provided by any .service files
[+0.02s] DEBUG: Loading user config from /etc/lightdm/users.conf
[+0.04s] DEBUG: User pitsi added
[+1.12s] DEBUG: Got signal 10 from process 714
[+1.12s] DEBUG: XServer 0: Got signal from X server :0
[+1.12s] DEBUG: XServer 0: Connecting to XServer :0
[+1.19s] DEBUG: Seat seat0: Display server ready, starting session authentication
[+1.19s] DEBUG: Session pid=733: Started with service 'lightdm-greeter', username 'lightdm'
[+1.22s] DEBUG: Session pid=733: Authentication complete with return value 0: Success
[+1.22s] DEBUG: Seat seat0: Session authenticated, running command
[+1.22s] DEBUG: Session pid=733: Running command /usr/sbin/lightdm-gtk-greeter
[+1.22s] DEBUG: Creating shared data directory /var/lib/lightdm/data/lightdm
[+1.22s] DEBUG: Session pid=733: Logging to /var/log/lightdm/seat0-greeter.log
[+1.77s] DEBUG: Activating VT 7
[+1.77s] DEBUG: Activating login1 session c1
[+1.77s] DEBUG: Seat seat0 changes active session to c1
[+1.77s] DEBUG: Session c1 is already active
[+2.21s] DEBUG: Greeter connected version=1.32.0 api=1 resettable=false
[+2.55s] DEBUG: Greeter start authentication
[+2.55s] DEBUG: Session pid=783: Started with service 'lightdm', username '(null)'
[+2.56s] DEBUG: Session pid=783: Got 1 message(s) from PAM
[+2.56s] DEBUG: Prompt greeter with 1 message(s)
[+5.08s] DEBUG: Greeter start authentication for pitsi
[+5.08s] DEBUG: Session pid=783: Sending SIGTERM
[+5.08s] DEBUG: Session pid=784: Started with service 'lightdm-autologin', username 'pitsi'
[+5.08s] DEBUG: Session pid=783: Terminated with signal 15
[+5.08s] DEBUG: Session: Failed during authentication
[+5.08s] DEBUG: Seat seat0: Session stopped
[+5.10s] DEBUG: Session pid=784: Authentication complete with return value 0: Success
[+5.10s] DEBUG: Authenticate result for user pitsi: Success
[+5.10s] DEBUG: User pitsi authorized
[+10.25s] DEBUG: Greeter requests session xfce
[+10.26s] DEBUG: Seat seat0: Stopping greeter; display server will be re-used for user session
[+10.26s] DEBUG: Terminating login1 session c1
[+10.26s] DEBUG: Session pid=733: Sending SIGTERM
[+10.28s] DEBUG: Greeter closed communication channel
[+10.28s] DEBUG: Session pid=733: Exited with return value 0
[+10.28s] DEBUG: Seat seat0: Session stopped
[+10.28s] DEBUG: Seat seat0: Greeter stopped, running session
[+10.28s] DEBUG: Registering session with bus path /org/freedesktop/DisplayManager/Session0
[+10.29s] DEBUG: Session pid=784: Running command /etc/X11/Xsession startxfce4
[+10.29s] DEBUG: Creating shared data directory /var/lib/lightdm/data/pitsi
[+10.29s] DEBUG: Session pid=784: Logging to .xsession-errors
[+10.86s] DEBUG: Activating VT 7
[+10.86s] DEBUG: Activating login1 session 2
[+10.86s] DEBUG: Seat seat0 changes active session to 
[+10.86s] DEBUG: Seat seat0 changes active session to 2
[+10.86s] DEBUG: Session 2 is already active

[codechipped]

The login attempt that you make through the gtk-greeter fails to authenticate:

[+2.55s] DEBUG: Session pid=783: Started with service 'lightdm', username '(null)'
[+5.08s] DEBUG: Session pid=783: Sending SIGTERM
[+5.08s] DEBUG: Session pid=783: Terminated with signal 15
[+5.08s] DEBUG: Session: Failed during authentication
[+5.08s] DEBUG: Seat seat0: Session stopped

Which logs you in using the autologin.

[+5.08s] DEBUG: Session pid=784: Started with service 'lightdm-autologin', username 'pitsi'
[+5.10s] DEBUG: Session pid=784: Authentication complete with return value 0: Success

I'm not really sure why it would be kicking it over to autologin immediately after it fails to authenticate. I'm guessing it might have something to do with your PAM settings or however you configured it to start your Kodi session.

[pitsi]

Since I can not use ffmpeg to grab a video of the lightdm during login and post it, how can I find that pam setting/module which does that. Also, it autologins to xfce, kodi's session is just an example.