Hello Jakub,I have prepared a patch (see Novell bugzilla) that adds a check for the "Decrypt integrity check failed" Kerberos error code to the switch statement, which then returns PAM_AUTH_ERR.
I tested that patch with OpenSUSE12.2 + KDM as well as SSH password based login and can confirm that the misleading error message goes away (for SSH there was only a misleading syslog error but not for the user).
However, the mentioned patch only changes the PAM return code when using Kerberos with a password. I am not sure if there may be other spots in the krb5_child that may also need fixing, as there are other possibilities to use Kerberos auth (forwarded TGT, keytab, and so on).
Best regards, Joschi Brauchle On 09/09/2012 04:03 PM, Jakub Hrozek wrote:
On Fri, Sep 07, 2012 at 05:44:59PM +0200, Joschi Brauchle wrote:Hello, I noticed a problem when using pam_sss (1.8.3) under OpenSUSE 12.2 + KDE and filed a bugreport there: https://bugzilla.novell.com/show_bug.cgi?id=779246 When a Kerberos user enters a wrong password, a KDM "Critical error" message pops up (see link above for a screenshot). In /var/log/messages, there is ------ Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): system info: [Decrypt integrity check failed] Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): received for user testuser: 4 (System error) ------ As far as I know, "decrypt integrity fails" is the default Kerberos error message for a wrong password. Hence, this is not a "System error", but rather an authentication error. When looking at the code of "krb5_child.c", it seems like the default return code when checking the Kerberos TGT is "PAM_SYSTEM_ERR", which also gets returned in the event of a simply wrong password. I guess, pam_sss should instead return "PAM_AUTH_ERR", is that correct? Has this been fixed in versions > 1.8.3?You are absolutely correct, nice catch Joschi. It has not been fixed so, far, I have filed https://fedorahosted.org/sssd/ticket/1515 to track this _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
