[Bug 779246] New: pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

older
[Bug 789233] New: pressing numlock...

bugzilla_noreply＠novell.com

7 Sep 2012 7 Sep '12

12:28

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c0 Summary: pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: joschibrauchle@gmx.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Created an attachment (id=504857) --> (http://bugzilla.novell.com/attachment.cgi?id=504857) KDM error message when entering wrong password User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 When using Kerberos as auth_provider along with SSSD, the user receives a very exaggerated error message (see screenshot), when simply entering a wrong password at the KDM login prompt: -------- A critial error occured. Please look at KDM's logfile(s) for more information or contact your system administrator. -------- Entries in /var/log/messages: -------- Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): system info: [Decrypt integrity check failed] Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): received for user testuser: 4 (System error) -------- The problem seems to be that "pam_sss" wrongly interprets the "Decrypt integrity check failed" error as a critical error, although this is simply the default Kerberos error meaning "wrong password". See here for reference: http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#badpass The previous PAM Kerberos module "pam_krb5" did not produce such a stupid message, but simply erased the wrong password and prompted the user again. Reproducible: Always Steps to Reproduce: 1. Use Kerberos auth_provider for SSSD 2. Enter wrong password for a Kerberos user at KDM login screen Actual Results: Error message pops up. Expected Results: Password should simply be erased and user should be prompted again without error message. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

7 Sep 7 Sep

12:31

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c Joschi Brauchle changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |jengelh@inai.de |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

15:24

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c1 --- Comment #1 from Joschi Brauchle 2012-09-07 15:24:57 UTC --- Digging in the source of krb5_child.c, it becomes clear that the function "tgt_req_child" (line 860) has a default return value of "PAM_SYSTEM_ERR" (line 866), which also gets returned in the case of a wrong password (line 918 to 933). As far as I understand, the module should return "PAM_AUTH_ERR" instead! In comparison, "pam_krb5" also returns "PAM_SYSTEM_ERR" in case of an error during Kerberos initialization, but then sets a default return code of "PAM_AUTH_ERR" after the Kerberos initialization is successful (auth.c, line 214). Hence, a wrong password will automatically return "PAM_AUTH_ERR" there. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

15:25

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c Joschi Brauchle changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jengelh@inai.de |bnc-team-screening@forge.pr | |ovo.novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

9 Sep 9 Sep

13:09

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c2 --- Comment #2 from Joschi Brauchle 2012-09-09 13:09:06 UTC --- I also checked the source of MIT's kinit tools. They are testing the return value of the TGT request for the "KRB5KRB_AP_ERR_BAD_INTEGRITY" error code, which means bad password. Thus, I included the following patch to pam_sss, testing for "KRB5KRB_AP_ERR_BAD_INTEGRITY" and returning "PAM_AUTH_ERR" in that case: ------------------ diff -Pdpru a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c --- a/src/providers/krb5/krb5_child.c 2012-05-03 20:33:04.000000000 +0200 +++ b/src/providers/krb5/krb5_child.c 2012-09-09 12:13:27.825643722 +0200 @@ -927,6 +927,9 @@ static errno_t tgt_req_child(int fd, str case KRB5KDC_ERR_PREAUTH_FAILED: pam_status = PAM_CRED_ERR; break; + case KRB5KRB_AP_ERR_BAD_INTEGRITY: + pam_status = PAM_AUTH_ERR; + break; default: pam_status = PAM_SYSTEM_ERR; } ------------------ Please note that this patch only covers the Password+TGT auth, all other possible Kerberos authentication methods are not changed. Somebody more familiar with pam_sss and other Kerberos methods needs to check if there are changes needed as well. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

15:28

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c3 --- Comment #3 from Joschi Brauchle 2012-09-09 15:28:51 UTC --- It looks like the bug is now fixed upstream: https://fedorahosted.org/sssd/ticket/1515 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10 Sep 10 Sep

12:11

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c kk zhang changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kkzhang@suse.com AssignedTo|bnc-team-screening@forge.pr |kde-maintainers@suse.de |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

8 Oct 8 Oct

09:17

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c4 Joschi Brauchle changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kde-maintainers@suse.de |jengelh@inai.de --- Comment #4 from Joschi Brauchle 2012-10-08 09:17:42 UTC --- As this is not a KDE bug but rather a problem with the SSSD package, I reassigned this to the maintainer of that package... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

18 Oct 18 Oct

16:36

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c5 --- Comment #5 from Joschi Brauchle 2012-10-18 16:36:05 UTC --- This is the official patch for sssd 1.8 for this issue: http://git.fedorahosted.org/cgit/sssd.git/commit/src/providers/krb5/krb5_child.c?h=sssd-1-8&id=b196e1e91ec04ca5af93bfd2dcfc5225f4858a54 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

9 Nov 9 Nov

16:20

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c6 --- Comment #6 from Joschi Brauchle 2012-11-09 16:20:15 UTC --- According to this announcement, https://lists.fedorahosted.org/pipermail/sssd-users/2012-October/000210.html sssd 1.8.5 includes the patch! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

17:55

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c Jan Engelhardt changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

21:29

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c7 Jan Engelhardt changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |maintenance@opensuse.org --- Comment #7 from Jan Engelhardt 2012-11-09 22:29:35 CET --- Hi maintenance@, please consider SR 140785 to update sssd to 1.8.5 in openSUSE 12.2. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12 Nov 12 Nov

17:22

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c8 Benjamin Brunner changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|maintenance@opensuse.org |security-team@suse.de --- Comment #8 from Benjamin Brunner 2012-11-12 18:22:29 CET --- After the update includes some security-fixes, I changed needinfo to the security-team. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13 Nov 13 Nov

10:47

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c9 Jan Lieskovsky changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |iankko@seznam.cz --- Comment #9 from Jan Lieskovsky 2012-11-13 10:47:40 UTC --- Hello Benjamin, (In reply to comment #8)

...

After the update includes some security-fixes, I changed needinfo to the security-team.

why do you think upstream sssd 1.8.5 version: [1] https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.5 is correcting some security flaw? (from what I have looked none of the changes seems to have side security implications) Could you clarify? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:59

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c10 Matthias Weckbecker changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|security-team@suse.de | --- Comment #10 from Matthias Weckbecker 2012-11-13 14:59:11 CET --- Well, I think neither this bug nor the others noted at [1] have any security implications (at least no obvious issues). Maybe "Fixed a potential segfault when SRV records are used to discover services" might have, I simply wasn't able to find anything about it. Anyone knows if this can be triggered remotely by any external event? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

16:37

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c11 --- Comment #11 from Benjamin Brunner 2012-11-13 17:37:18 CET --- Hi Jan, I wanted to clarify it because of the potential segfault and deadlock. But if it's not security-relevant, I'll start an maintenance-update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

16:50

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c12 --- Comment #12 from Joschi Brauchle 2012-11-13 16:50:45 UTC --- By chance I found another case that triggers the originally described problem: An empty password. I will report this to the sssd devel list, hence, please wait for updating the sssd package until the problem is also fixed for an empty password! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

14 Nov 14 Nov

10:46

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c13 --- Comment #13 from Joschi Brauchle 2012-11-14 10:46:23 UTC --- A new SSSD ticket was filed here: https://fedorahosted.org/sssd/ticket/1641 In the meanwhile, I patched sssd 1.8.5 to check the Kerberos return for empty password and then returning PAM_AUTH_ERR from SSSD: ------------------ diff -Pdpru a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c --- a/src/providers/krb5/krb5_child.c 2012-10-03 13:44:13.000000000 +0200 +++ b/src/providers/krb5/krb5_child.c 2012-11-14 09:52:08.630657427 +0100 @@ -741,6 +741,7 @@ static int kerr_handle_error(krb5_error_ pam_status = PAM_NEW_AUTHTOK_REQD; break; case KRB5KRB_AP_ERR_BAD_INTEGRITY: + case KRB5_LIBOS_CANTREADPWD: pam_status = PAM_AUTH_ERR; break; case KRB5KDC_ERR_PREAUTH_FAILED: ------------------ A test with a *wrong* and *empty* password was successful (not showing "a critical error occured" but instead "authentication failed"). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

15 Nov 15 Nov

23:28

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c14 --- Comment #14 from Jan Engelhardt 2012-11-16 00:28:36 CET --- Got an sr number for me to accept? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

16 Nov 16 Nov

08:34

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c15 --- Comment #15 from Joschi Brauchle 2012-11-16 08:34:14 UTC --- You did already accept it here: https://build.opensuse.org/request/show/141264 Or should I submit it elsewhere? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:45

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c16 --- Comment #16 from Jan Engelhardt 2012-11-16 14:44:59 CET --- That's ok; thanks for the reminder. --- 141562 State:new By:jengelh When:2012-11-16T13:38:30 maintenance_incident: home:jengelh:branches:openSUSE:12.2:Update/sssd.openSUSE_12.2_Update -> openSUSE:Maintenance (release in openSUSE:12.2:Update) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

26 Nov 26 Nov

09:28

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c17 Benjamin Brunner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #17 from Benjamin Brunner 2012-11-26 10:28:37 CET --- Update released for openSUSE 12.2. Resolved fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:09

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c18 --- Comment #18 from Swamp Workflow Management 2012-11-26 10:08:59 UTC --- openSUSE-RU-2012:1561-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 779246 CVE References: Sources used: openSUSE 12.2 (src): sssd-1.8.5-2.8.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:09

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c19 --- Comment #19 from Swamp Workflow Management 2012-11-26 10:09:34 UTC --- openSUSE-RU-2012:1569-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 779246 CVE References: Sources used: openSUSE 12.2 (src): sssd-1.8.5-2.8.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:09

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c20 --- Comment #20 from Swamp Workflow Management 2012-11-26 10:09:47 UTC --- openSUSE-RU-2012:1570-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 779246 CVE References: Sources used: openSUSE 12.2 (src): sssd-1.8.5-2.8.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:10

New subject: [Bug 779246] pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

https://bugzilla.novell.com/show_bug.cgi?id=779246 https://bugzilla.novell.com/show_bug.cgi?id=779246#c21 --- Comment #21 from Swamp Workflow Management 2012-11-26 10:10:00 UTC --- openSUSE-RU-2012:1571-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 779246 CVE References: Sources used: openSUSE 12.2 (src): sssd-1.8.5-2.8.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

4183

Age (days ago)

4263

Last active (days ago)

List overview

Download

25 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 779246] New: pam_sss: Entering wrong Kerberos password at KDM results in "Critical Error" message popping up

tags

participants (1)