Skip Menu |

Download (untitled) / with headers
text/plain 3.9KiB
From Sat Jan 8 17:14:03 2000
by (8.9.3/8.9.3) with SMTP id RAA01803
for <bugs@RT-11.MIT.EDU>; Sat, 8 Jan 2000 17:14:03 -0500 (EST)
Received: from by MIT.EDU with SMTP
id AA29912; Sat, 8 Jan 00 17:14:58 EST
Received: (from bear@localhost)
by (8.9.3/8.9.3/Debian/GNU) id PAA24345;
Sat, 8 Jan 2000 15:14:07 -0700
Message-Id: <>
Date: Sat, 8 Jan 2000 15:14:07 -0700
To: krb5-bugs@MIT.EDU
Subject: confusing error messages with ktelnetd -a user|valid
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 808
>Category: telnet
>Synopsis: confusing error messages with ktelnetd -a user|valid
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: raeburn
>State: feedback
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Sat Jan 8 17:15:00 EST 2000
>Last-Modified: Mon Feb 21 16:35:58 EST 2000
>Originator: Bear Giles
Bear Giles
Show quoted text
>Release: krb5-1.1.1
Debian 2.1r5

System: Linux eris 2.2.13 #7 SMP Sat Oct 30 20:57:16 MDT 1999 i686 unknown
Architecture: i686

Show quoted text
There is a confusing discrepency between the behavior of krlogin and
ktelnet, and insufficient error messages with the latter to indicate
to the user what the problem is.

With authentication turned on, "krlogin host" results in a login prompt
and default local user name. I have the option to specify a different
local user name, if desired, but it's clear that my credentials have
been automatically sent to the server.

With authentication turned on, "ktelnet host" results in an abrupt
"Authentication failed" error message, with absolutely no indication
that the reason the authentication failed was that "ktelnet" does
*not* automatically send my creditials. This incorrect error model
was reinforced by the "-D report" - it clearly shows "send do AUTHENTICATION"/
"recv wont AUTHENTICATION" dialog.

Of course, the real problem was that I didn't specify the "-a" option
to ktelnet. It never occured to me because I use multiple different
account names and I normally specify the account name interactively,
instead of on the command line.

Show quoted text

Show quoted text

Ideally, credentials should be automatically sent whenever requested,
without any special user action. Alt. this could be tied to the
program name, e.g., "telnet" doesn't send credentials by default
but "ktelnet" does.

At the same time, the "authentication failed" message should be expanded
to include an "no authentication provided" message.

This patch file addresses the second point; the first one
will require a policy decision by the Kerberos maintainers.

begin 664 0007

Show quoted text

Responsible-Changed-From-To: hartmans->raeburn
Responsible-Changed-By: raeburn
Responsible-Changed-When: Mon Feb 21 16:35:23 2000
I'll take it...

State-Changed-From-To: open-feedback
State-Changed-By: raeburn
State-Changed-When: Mon Feb 21 16:35:29 2000

I put in a slightly different version of the change, since it's not
actually possible for user_name to be zero (it's the base of an
automatic array).

Show quoted text