From bear@coyotesong.com  Sat Jan  8 17:14:03 2000
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
	by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id RAA01803
	for <bugs@RT-11.MIT.EDU>; Sat, 8 Jan 2000 17:14:03 -0500 (EST)
Received: from bgiles.dimensional.com by MIT.EDU with SMTP
	id AA29912; Sat, 8 Jan 00 17:14:58 EST
Received: (from bear@localhost)
	by eris.coyotesong.com (8.9.3/8.9.3/Debian/GNU) id PAA24345;
	Sat, 8 Jan 2000 15:14:07 -0700
Message-Id: <200001082214.PAA24345@eris.coyotesong.com>
Date: Sat, 8 Jan 2000 15:14:07 -0700
From: bgiles@coyotesong.com
Reply-To: bgiles@coyotesong.com
To: krb5-bugs@MIT.EDU
Cc:
Subject: confusing error messages with ktelnetd -a user|valid
X-Send-Pr-Version: 3.99

>Number:         808
>Category:       telnet
>Synopsis:       confusing error messages with ktelnetd -a user|valid
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    raeburn
>State:          feedback
>Class:          change-request
>Submitter-Id:   unknown
>Arrival-Date:   Sat Jan  8 17:15:00 EST 2000
>Last-Modified:  Mon Feb 21 16:35:58 EST 2000
>Originator:     Bear Giles
>Organization:
Bear Giles
bgiles@coyotesong.com
>Release:        krb5-1.1.1
>Environment:
Debian 2.1r5
	
System: Linux eris 2.2.13 #7 SMP Sat Oct 30 20:57:16 MDT 1999 i686 unknown
Architecture: i686

>Description:
There is a confusing discrepency between the behavior of krlogin and
ktelnet, and insufficient error messages with the latter to indicate
to the user what the problem is.

With authentication turned on, "krlogin host" results in a login prompt
and default local user name.  I have the option to specify a different 
local user name, if desired, but it's clear that my credentials have
been automatically sent to the server.

With authentication turned on, "ktelnet host" results in an abrupt
"Authentication failed" error message, with absolutely no indication
that the reason the authentication failed was that "ktelnet" does
*not* automatically send my creditials.  This incorrect error model
was reinforced by the "-D report" - it clearly shows "send do AUTHENTICATION"/
"recv wont AUTHENTICATION" dialog.

Of course, the real problem was that I didn't specify the "-a" option
to ktelnet.  It never occured to me because I use multiple different
account names and I normally specify the account name interactively,
instead of on the command line.

>How-To-Repeat:
N/A.
	
>Fix:
	
Ideally, credentials should be automatically sent whenever requested,
without any special user action.  Alt. this could be tied to the
program name, e.g., "telnet" doesn't send credentials by default 
but "ktelnet" does.

At the same time, the "authentication failed" message should be expanded
to include an "no authentication provided" message.

This patch file addresses the second point; the first one
will require a policy decision by the Kerberos maintainers.

begin 664 0007
M+2TM(&]L9"]S<F,O=&5L;F5T+W1E;&YE=&0O=&5L;F5T9"YC"5-A="!*86X@
M(#@@,30Z,#0Z,C,@,C`P,`HK*RL@;F5W+W-R8R]T96QN970O=&5L;F5T9"]T
M96QN971D+F,)4V%T($IA;B`@."`Q-3HQ,3HT,B`R,#`P"D!`("TQ,#`X+#8@
M*S$P,#@L,3(@0$`*(`EL979E;"`](&=E='1E<FUI;F%L='EP92AU<V5R7VYA
M;64I.PH@"7-E=&5N=B@B5$5232(L("IT97)M:6YA;'1Y<&4@/R!T97)M:6YA
M;'1Y<&4@.B`B;F5T=V]R:R(L(#$I.PH@"BLC:68@9&5F:6YE9"`H05542$5.
M5$E#051)3TXI"BL):68@*'5S97)?;F%M92`]/2`P('Q\('5S97)?;F%M95LP
M72`]/2`G7#`G*2!["BL)"69A=&%L("AN970L(").;R!A=71H96YT:6-A=&EO
M;B!P<F]V:61E9"(I.PHK"0EE>&ET("@M,2D["BL)?0HK(V5N9&EF"B`)+RH*
M(`D@*B!3=&%R="!U<"!T:&4@;&]G:6X@<')O8V5S<R!O;B!T:&4@<VQA=F4@
;<VED92!O9B!T:&4@=&5R;6EN86P*(`D@*B\*
`
end

>Audit-Trail:

Responsible-Changed-From-To: hartmans->raeburn
Responsible-Changed-By: raeburn
Responsible-Changed-When: Mon Feb 21 16:35:23 2000
Responsible-Changed-Why:
I'll take it...

State-Changed-From-To: open-feedback
State-Changed-By: raeburn
State-Changed-When: Mon Feb 21 16:35:29 2000
State-Changed-Why:

I put in a slightly different version of the change, since it's not
actually possible for user_name to be zero (it's the base of an
automatic array).

>Unformatted: