[krbdev.mit.edu #1324] cannot reproduce
Tom Yu via RT
rt-comment at krbdev.mit.edu
Fri Jan 24 21:17:59 EST 2003
>>>>> "Jered" == Jered Floyd via RT <rt-comment at krbdev.mit.edu> writes:
Jered> Rather, when I type the principal's password correctly, both kinit
Jered> and saslauthd succeed. When I give an incorrect password, both
Jered> log the error that I reported.
Jered> Arguably, the error message is not particularly good at indicating
Jered> that the password is incorrect.
I agree. Inspection of the code in verify_enc_timestamp() reveals
that if a key is found that matches the enctype in the encrypted
timestamp preauth, and the decryption fails, the loop continues. This
is presumably because the encrypted timestamp preauth doesn't carry
salt information or any other information that would permit the KDC to
correctly choose between multiple keys having the same enctype but
having different salts.
Probably the correct thing to do is to set a flag when decryption is
attempted, so that if the loop exits with an error of NO_MATCHING_KEY
and the flag is set, the KDC will correctly report a bad password.
---Tom
More information about the krb5-bugs
mailing list