Package: libpam-heimdal
When the libpam-heimdal module is unable to contact the KDC it should
return PAM_SERVICE_ERR instead of PAM_AUTH_ERR. This represents the
reason authentication failed more accurately.
The relevant code is in pam_krb5_auth.c on about line 180:
/* Get a TGT */
if (krbret = krb5_get_init_creds_password(pam_context, &creds,
princ,
pass, pam_prompter, pamh,
0, NULL, &opts)) {
DLOG("krb5_get_init_creds_password()", error_message(krbret));
if (try_first_pass && krbret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
pass = NULL;
goto get_pass;
}
pamret = PAM_AUTH_ERR;
goto cleanup2;
}
Notice that in all cases PAM_AUTH_ERR is returned. In a lot of cases,
PAM_SERVICE_ERR should be returned instead.
if (try_first_pass && krbret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
pass = NULL;
goto get_pass;
} else if (krbret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
pamret = PAM_AUTH_ERR;
} else {
pamret = PAM_SERVICE_ERR;
}
That is a possible fix, but also probably not ideal. Kerberos has a LOT
of return codes... a better way might be to have some sort of Kerberos
return code -> PAM error code map that is used to determine PAM exit
status.
--
Jerry Haltom <[EMAIL PROTECTED]>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
