-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Re: my getting RC=31 (decrypt integrity check) for various conditions, like expired principal or passphrase or non-existent principal.
I've done some further testing and here's my situation: It appears that the '--with-vague-errors' configure option just affects the text of error messages, not the return codes. So, I've compiled without that option and even even kinit exhibits the same problem: it tells me I've entered an incorrect password, even though that's not true. In fact, if the principal is expired, or the passphrase is expired, etc., it appears that the KDC 'short circuits' the AS exchange, not issuing a 'PRE_AUTH_REQUIRED' message and just reporting a bad passphrase. My applications need to be able to distinguish between these various conditions, for which there are documented return codes. Why are they not being returned? Since '--with-vague-errors' is not the issue here, my question is, what else might have changed between 1.4.2 and 1.6.1 to cause this new behavior? Thanks. Mike ======================================================================== On Tue, 27 Jan 2009 at 15:53 (-0800), Mike Friedman wrote: > If I have a principal that has any of the following set, then, even if I > supply the correct password, I get back a return code of 31 (decrypt > integrity check), instead of the more specific return code that would > correspond to the specific situation: > > CLIENT_NOT_FOUND > CLIENT EXPIRED > REQUIRED PWCHANGE > CLIENT KEY EXPIRED > > But if none of the above is true, then my authentication succeeds (RC=0) > if I supply the correct password, and fails with the expected RC=31 if I > enter an invalid password. > > This is krb5-1.6.3 on FreeBSD. _________________________________________________________________________ Mike Friedman Information Services & Technology [email protected] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://mikef.berkeley.edu http://ist.berkeley.edu _________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkmCCbcACgkQFgKSfLOvZ1R8FQCeI1kE+PoKInp/P1+ExkaPLZ8C P/MAn3QIp99evRjn2/AYt0BxcE9PwYq3 =Ykhx -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
