[8047] in Athena Bugs
vax 7.3L: xlogin (local account bug + fix)
daemon@ATHENA.MIT.EDU (ckclark@ATHENA.MIT.EDU)
Mon Aug 26 16:19:42 1991
From: ckclark@ATHENA.MIT.EDU
Date: Mon, 26 Aug 91 16:20:02 -0400
To: bugs@ATHENA.MIT.EDU
Reply-To: ckclark@mit.edu
System name: hal-2000
Type and version: CVAXSTAR 7.3L
Display type: SM
What were you trying to do?
Log in on a local account.
What's wrong:
I got the message: ``Unknown username entered'' when typing the
username of a local account with an *incorrect* password.
This is different from the message one gets by choosing a
username which is neither in /etc/passwd nor in the Hesiod database.
That error is:
Unknown user name entered (no hesiod
information for "foo")
Note "username" as opposed to "user name". It seems that xlogin
on a local account is failing with the error KDC_PR_UNKNOWN, which in
returned by krb_get_pw_in_tkt() when gettickets is called. It is
apparant from the following section of verify.c that if I type the
passwd incorrectly for a local account, it will set local_ok to TRUE:
114 /* check local password file */
115 if ((pwd = getpwnam(user)) != NULL) {
116 local_passwd = TRUE;
117 if (strcmp(crypt(passwd, pwd->pw_passwd), pwd->pw_passwd)) {
118 if (pwd->pw_uid == ROOT)
119 return("Incorrect root password");
120 } else
121 local_ok = TRUE;
122 } else {
The only place local_ok is tested is here:
160 if ((msg = get_tickets(user, passwd)) != NULL && pwd->pw_uid) {
161 if (!local_ok) {
162 cleanup(NULL);
163 return(msg);
164 } else {
165 prompt_user("Unable to get full authentication, you will have local access only during this login session (failed to get kerberos tickets). Continue anyway?", abort_verify);
166 }
167 }
168
So get_tickets is called, and krb_get_pw_in_tkt() is called there:
418 error = krb_get_pw_in_tkt(username, inst, realm, "krbtgt", realm,
419 LOGIN_TKT_DEFAULT_LIFETIME, password);
420 switch (error) {
421 case KSUCCESS:
422 break;
423 case INTK_BADPW:
424 return("Incorrect password entered.");
425 case KDC_PR_UNKNOWN:
426 return("Unknown username entered.");
427 default:
428 sprintf(errbuf, "Unable to authenticate you, kerberos failure %d: %s. Try again here or on another workstation.",
429 error, krb_err_txt[error]);
430 return(errbuf);
431 }
On line 426, the error "Unknown username entered." is printed, and the
login fails.
What should have happened:
The method for determining whether or not an account is local is weak.
It depends on the local password failing, which is usually induced by
having a "*" entry in place of an encrypted passwd in the password
field, but it can also be induced by typing the password incorrectly,
which means I can have a different local password from Kerberos
password---a necessary feature for several reasons.
I propose the following algorithm:
If the username typed in is in the password file, *and* it is
*not* a valid Kerberos principal, *and* the password has been typed
incorrectly, then it should say "Password incorrect." rather than
"Unknown username entered".
The following patch will do that:
*** /source/athena/athena.etc/xdm/xlogin/verify.c Sun Aug 18 19:28:20 1991
--- verify.c Mon Aug 26 16:10:34 1991
***************
*** 70,75 ****
--- 70,76 ----
int homedir_status = HD_LOCAL;
int added_to_passwd = FALSE;
+ int local_passwd = FALSE; /* user is in local passwd file */
char *dologin(user, passwd, option, script, tty, session, display)
***************
*** 97,103 ****
int i;
/* state variables: */
- int local_passwd = FALSE; /* user is in local passwd file */
int local_ok = FALSE; /* verified from local password file */
int nocreate = FALSE; /* not allowed to modify passwd file */
int nologin = FALSE; /* logins disabled */
--- 98,103 ----
***************
*** 423,429 ****
case INTK_BADPW:
return("Incorrect password entered.");
case KDC_PR_UNKNOWN:
! return("Unknown username entered.");
default:
sprintf(errbuf, "Unable to authenticate you, kerberos failure %d: %s. Try again here or on another workstation.",
error, krb_err_txt[error]);
--- 423,432 ----
case INTK_BADPW:
return("Incorrect password entered.");
case KDC_PR_UNKNOWN:
! if (local_passwd)
! return("Password incorrect.");
! else
! return("Unknown username entered.");
default:
sprintf(errbuf, "Unable to authenticate you, kerberos failure %d: %s. Try again here or on another workstation.",
error, krb_err_txt[error]);
Please describe any relevant documentation references:
xlogin(8)
