Skip Menu |
 

To: krb5-bugs@mit.edu
Subject: Return integrity error on bad password
Date: Tue, 6 May 2003 15:10:04 -0400 (EDT)
From: hartmans@MIT.EDU (Sam Hartman)


We should return an decrypt integrity error on bad password with
encrypted timestamp rather than just preauth failed.
Subject: Incorrect password error for principal with preauth is confusing
Cc: eichin
The error for an incorrect password for principal with preauth is
confusing. krb5_init_creds_password returns KRB5KDC_ERR_PREAUTH_FAILED,
which translates to the string "Preauthentication failed". So a typical
kinit where the user types a bad password goes as follows (this is with
a 1.2.x kinit):

dragon-slave% kinit preauth@TESTV5-KERBEROS-1.2.0
Password for preauth@TESTV5-KERBEROS-1.2.0:
kinit(v5): Preauthentication failed while getting initial credentials

Needless to say, this is confusing and might dissuade the user from
trying to type their password again.
From: hartmans@mit.edu
Subject: CVS Commit
Allow the KDC to return bad integrity errors to the client on preauth
failure. This will be translated by the client into password
incorrect.


To generate a diff of this commit:



cvs diff -r5.258 -r5.259 krb5/src/kdc/ChangeLog
cvs diff -r5.39 -r5.40 krb5/src/kdc/kdc_preauth.c
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r5.251.2.7 -r5.251.2.8 krb5/src/kdc/ChangeLog
cvs diff -r5.35.2.3 -r5.35.2.4 krb5/src/kdc/kdc_preauth.c