Hello Jakub,
I have prepared a patch (see Novell bugzilla) that adds a check for the
"Decrypt integrity check failed" Kerberos error code to the switch
statement, which then returns PAM_AUTH_ERR.
I tested that patch with OpenSUSE12.2 + KDM as well as SSH password
based login and can confirm that the misleading error message goes away
(for SSH there was only a misleading syslog error but not for the user).
However, the mentioned patch only changes the PAM return code when using
Kerberos with a password. I am not sure if there may be other spots in
the krb5_child that may also need fixing, as there are other
possibilities to use Kerberos auth (forwarded TGT, keytab, and so on).
Best regards,
Joschi Brauchle
On 09/09/2012 04:03 PM, Jakub Hrozek wrote:
On Fri, Sep 07, 2012 at 05:44:59PM +0200, Joschi Brauchle wrote:
> Hello,
>
> I noticed a problem when using pam_sss (1.8.3) under OpenSUSE 12.2 +
> KDE and filed a bugreport there:
>
https://bugzilla.novell.com/show_bug.cgi?id=779246
>
> When a Kerberos user enters a wrong password, a KDM "Critical error"
> message pops up (see link above for a screenshot).
>
> In /var/log/messages, there is
> ------
> Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check
> failed
> Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check
> failed
> Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): system info:
> [Decrypt integrity check failed]
> Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): authentication
> failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser
> Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth):
> received for user
> testuser: 4 (System error)
> ------
>
> As far as I know, "decrypt integrity fails" is the default Kerberos
> error message for a wrong password. Hence, this is not a "System
> error", but rather an authentication error.
>
> When looking at the code of "krb5_child.c", it seems like the
> default return code when checking the Kerberos TGT is
> "PAM_SYSTEM_ERR", which also gets returned in the event of a simply
> wrong password.
>
> I guess, pam_sss should instead return "PAM_AUTH_ERR", is that correct?
> Has this been fixed in versions > 1.8.3?
>
You are absolutely correct, nice catch Joschi.
It has not been fixed so, far, I have filed
https://fedorahosted.org/sssd/ticket/1515 to track this
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users