[Bug 779246] New: pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up
https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c0 Summary: pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: joschibrauchle@gmx.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Created an attachment (id=504857) --> (http://bugzilla.novell.com/attachment.cgi?id=504857) KDM error message when entering wrong password User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 When using Kerberos as auth_provider along with SSSD, the user receives a very exaggerated error message (see screenshot), when simply entering a wrong password at the KDM login prompt: -------- A critial error occured. Please look at KDM's logfile(s) for more information or contact your system administrator. -------- Entries in /var/log/messages: -------- Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): system info: [Decrypt integrity check failed] Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): received for user testuser: 4 (System error) -------- The problem seems to be that "pam_sss" wrongly interprets the "Decrypt integrity check failed" error as a critical error, although this is simply the default Kerberos error meaning "wrong password". See here for reference: http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#badpass The previous PAM Kerberos module "pam_krb5" did not produce such a stupid message, but simply erased the wrong password and prompted the user again. Reproducible: Always Steps to Reproduce: 1. Use Kerberos auth_provider for SSSD 2. Enter wrong password for a Kerberos user at KDM login screen Actual Results: Error message pops up. Expected Results: Password should simply be erased and user should be prompted again without error message. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c
Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c1
--- Comment #1 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c
Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c2
--- Comment #2 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c3
--- Comment #3 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c
kk zhang
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c4
Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c5
--- Comment #5 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c6
--- Comment #6 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c
Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c7
Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c8
Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c9
Jan Lieskovsky
After the update includes some security-fixes, I changed needinfo to the security-team.
why do you think upstream sssd 1.8.5 version: [1] https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.5 is correcting some security flaw? (from what I have looked none of the changes seems to have side security implications) Could you clarify? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c10
Matthias Weckbecker
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c11
--- Comment #11 from Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c12
--- Comment #12 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c13
--- Comment #13 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c14
--- Comment #14 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c15
--- Comment #15 from Joschi Brauchle
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c16
--- Comment #16 from Jan Engelhardt
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c17
Benjamin Brunner
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c18
--- Comment #18 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c19
--- Comment #19 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c20
--- Comment #20 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=779246
https://bugzilla.novell.com/show_bug.cgi?id=779246#c21
--- Comment #21 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com