Unexpected return codes from KDC -- krb5-1.6.3

Mike Friedman mikef at berkeley.edu
Thu Jan 29 14:55:35 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Re:  my getting RC=31 (decrypt integrity check) for various conditions, 
like expired principal or passphrase or non-existent principal.

I've done some further testing and here's my situation:

It appears that the '--with-vague-errors' configure option just affects 
the text of error messages, not the return codes.

So, I've compiled without that option and even even kinit exhibits the 
same problem:  it tells me I've entered an incorrect password, even though 
that's not true.  In fact, if the principal is expired, or the passphrase 
is expired, etc., it appears that the KDC 'short circuits' the AS 
exchange, not issuing a 'PRE_AUTH_REQUIRED' message and just reporting a 
bad passphrase.

My applications need to be able to distinguish between these various 
conditions, for which there are documented return codes.  Why are they not 
being returned?

Since '--with-vague-errors' is not the issue here, my question is, what 
else might have changed between 1.4.2 and 1.6.1 to cause this new 
behavior?

Thanks.

Mike

========================================================================
On Tue, 27 Jan 2009 at 15:53 (-0800), Mike Friedman wrote:

> If I have a principal that has any of the following set, then, even if I
> supply the correct password, I get back a return code of 31 (decrypt
> integrity check), instead of the more specific return code that would
> correspond to the specific situation:
>
>   CLIENT_NOT_FOUND
>   CLIENT EXPIRED
>   REQUIRED PWCHANGE
>   CLIENT KEY EXPIRED
>
> But if none of the above is true, then my authentication succeeds (RC=0)
> if I supply the correct password, and fails with the expected RC=31 if I
> enter an invalid password.
>
> This is krb5-1.6.3 on FreeBSD.

_________________________________________________________________________
Mike Friedman                        Information Services & Technology
mikef at berkeley.edu                   2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://mikef.berkeley.edu            http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkmCCbcACgkQFgKSfLOvZ1R8FQCeI1kE+PoKInp/P1+ExkaPLZ8C
P/MAn3QIp99evRjn2/AYt0BxcE9PwYq3
=Ykhx
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list