Hello,
I noticed a problem when using pam_sss (1.8.3) under OpenSUSE 12.2 + KDE and filed a bugreport there: https://bugzilla.novell.com/show_bug.cgi?id=779246
When a Kerberos user enters a wrong password, a KDM "Critical error" message pops up (see link above for a screenshot).
In /var/log/messages, there is ------ Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): system info: [Decrypt integrity check failed] Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): received for user testuser: 4 (System error) ------
As far as I know, "decrypt integrity fails" is the default Kerberos error message for a wrong password. Hence, this is not a "System error", but rather an authentication error.
When looking at the code of "krb5_child.c", it seems like the default return code when checking the Kerberos TGT is "PAM_SYSTEM_ERR", which also gets returned in the event of a simply wrong password.
I guess, pam_sss should instead return "PAM_AUTH_ERR", is that correct? Has this been fixed in versions > 1.8.3?
Best regards, Joschi Brauchle
On 09/07/2012 11:44 AM, Joschi Brauchle wrote:
Hello,
I noticed a problem when using pam_sss (1.8.3) under OpenSUSE 12.2 + KDE and filed a bugreport there: https://bugzilla.novell.com/show_bug.cgi?id=779246
When a Kerberos user enters a wrong password, a KDM "Critical error" message pops up (see link above for a screenshot).
In /var/log/messages, there is
Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): system info: [Decrypt integrity check failed] Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): received for user testuser: 4 (System error)
As far as I know, "decrypt integrity fails" is the default Kerberos error message for a wrong password. Hence, this is not a "System error", but rather an authentication error.
When looking at the code of "krb5_child.c", it seems like the default return code when checking the Kerberos TGT is "PAM_SYSTEM_ERR", which also gets returned in the event of a simply wrong password.
I guess, pam_sss should instead return "PAM_AUTH_ERR", is that correct? Has this been fixed in versions > 1.8.3?
Best regards, Joschi Brauchle
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
You can check the latest code here: http://git.fedorahosted.org/git/sssd If it is still not fixed please file a ticket: https://fedorahosted.org/sssd/
Thank you for your help!
On Fri, Sep 07, 2012 at 05:44:59PM +0200, Joschi Brauchle wrote:
Hello,
I noticed a problem when using pam_sss (1.8.3) under OpenSUSE 12.2 + KDE and filed a bugreport there: https://bugzilla.novell.com/show_bug.cgi?id=779246
When a Kerberos user enters a wrong password, a KDM "Critical error" message pops up (see link above for a screenshot).
In /var/log/messages, there is
Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): system info: [Decrypt integrity check failed] Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): received for user testuser: 4 (System error)
As far as I know, "decrypt integrity fails" is the default Kerberos error message for a wrong password. Hence, this is not a "System error", but rather an authentication error.
When looking at the code of "krb5_child.c", it seems like the default return code when checking the Kerberos TGT is "PAM_SYSTEM_ERR", which also gets returned in the event of a simply wrong password.
I guess, pam_sss should instead return "PAM_AUTH_ERR", is that correct? Has this been fixed in versions > 1.8.3?
You are absolutely correct, nice catch Joschi.
It has not been fixed so, far, I have filed https://fedorahosted.org/sssd/ticket/1515 to track this
Hello Jakub,
I have prepared a patch (see Novell bugzilla) that adds a check for the "Decrypt integrity check failed" Kerberos error code to the switch statement, which then returns PAM_AUTH_ERR.
I tested that patch with OpenSUSE12.2 + KDM as well as SSH password based login and can confirm that the misleading error message goes away (for SSH there was only a misleading syslog error but not for the user).
However, the mentioned patch only changes the PAM return code when using Kerberos with a password. I am not sure if there may be other spots in the krb5_child that may also need fixing, as there are other possibilities to use Kerberos auth (forwarded TGT, keytab, and so on).
Best regards, Joschi Brauchle
On 09/09/2012 04:03 PM, Jakub Hrozek wrote:
On Fri, Sep 07, 2012 at 05:44:59PM +0200, Joschi Brauchle wrote:
Hello,
I noticed a problem when using pam_sss (1.8.3) under OpenSUSE 12.2 + KDE and filed a bugreport there: https://bugzilla.novell.com/show_bug.cgi?id=779246
When a Kerberos user enters a wrong password, a KDM "Critical error" message pops up (see link above for a screenshot).
In /var/log/messages, there is
Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): system info: [Decrypt integrity check failed] Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): received for user testuser: 4 (System error)
As far as I know, "decrypt integrity fails" is the default Kerberos error message for a wrong password. Hence, this is not a "System error", but rather an authentication error.
When looking at the code of "krb5_child.c", it seems like the default return code when checking the Kerberos TGT is "PAM_SYSTEM_ERR", which also gets returned in the event of a simply wrong password.
I guess, pam_sss should instead return "PAM_AUTH_ERR", is that correct? Has this been fixed in versions > 1.8.3?
You are absolutely correct, nice catch Joschi.
It has not been fixed so, far, I have filed https://fedorahosted.org/sssd/ticket/1515 to track this _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Sun, Sep 09, 2012 at 04:11:07PM +0200, Joschi Brauchle wrote:
Hello Jakub,
I have prepared a patch (see Novell bugzilla) that adds a check for the "Decrypt integrity check failed" Kerberos error code to the switch statement, which then returns PAM_AUTH_ERR.
I tested that patch with OpenSUSE12.2 + KDM as well as SSH password based login and can confirm that the misleading error message goes away (for SSH there was only a misleading syslog error but not for the user).
However, the mentioned patch only changes the PAM return code when using Kerberos with a password. I am not sure if there may be other spots in the krb5_child that may also need fixing, as there are other possibilities to use Kerberos auth (forwarded TGT, keytab, and so on).
Best regards, Joschi Brauchle
Yep, my patch added the same handler as your did, just inside a new function that is also reused during password change.
Thanks again!
sssd-users@lists.fedorahosted.org