Ticket #612 (closed defect: fixed)
adding "@mit.edu" on the login screen gives "Cannot contact the Athena login servers"
Reported by: | geofft | Owned by: | |
---|---|---|---|
Priority: | low | Milestone: | The Distant Future |
Component: | -- | Keywords: | |
Cc: | Fixed in version: | ||
Upstream bug: |
Description
I just met someone who was slightly confused about his password, and on getting the incorrect-password error, decided to try appending "@mit.edu" to his username at the login screen. Of course, pam_krb5 interpreted this as looking for a "mit.edu" Kerberos realm (as opposed to ATHENA.MIT.EDU) and happily returned authinfo_unavail, because no such realm in fact exists, which triggered our pam_echo issue.net.no-network informing him that the "Athena login servers" are down. Now, no matter what password he tried, he got the same error, and so he tried switching computer to computer assuming they were all offline.
UI-wise, we should really have done something better here.
Change History
comment:2 Changed 14 years ago by geofft
So I tried this patch:
+ [success=1 default=ignore] pam_succeed_if.so user !~ @ + [default=die] pam_echo.so file=/etc/issue.net.at_sign [success=end authinfo_unavail=ignore default=die] pam_krb5.so minimum_uid=1 [default=die] pam_echo.so file=/etc/issue.net.no_network
which works, except that for some reason if you specify a nonexistent username, you get the at-sign error. The full resulting pam-auth-update-generated common-auth file is
auth [success=6 default=ignore] pam_unix.so nullok_secure auth [success=5 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth [success=1 default=ignore] pam_succeed_if.so user !~ @ auth [default=die] pam_echo.so file=/etc/issue.net.at_sign auth [success=2 authinfo_unavail=ignore default=die] pam_krb5.so minimum_uid=1 use_first_pass auth [default=die] pam_echo.so file=/etc/issue.net.no_network # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so
I've been staring at this to figure out how an unknown username would ever get you to issue.net.at_sign, but I can't see it. Anyone else?
comment:3 Changed 12 years ago by jdreed
- Status changed from new to closed
- Resolution set to wontfix
Fixed for lightdm, in that "getent joeuser@… passwd" returns an error. I really don't want to add yet another PAM module for a problem that happens maybe once a year.
comment:4 Changed 12 years ago by jdreed
- Status changed from closed to reopened
- Resolution wontfix deleted
comment:5 Changed 12 years ago by jdreed
- Status changed from reopened to committed
Fine, I lied. Fixed in r25542. Verbosity increased by only 3 characters.
What are our options, UI-wise? New-GDM is too cool for skinning, otherwise I'd suggest that we simply add the static text "@mit.edu" to the right of the username field.
Short of writing another PAM module that checks for the @ character and yells at the user, and putting it early enough in the stack, what else can we do?
I mean, we could also change the issue.net.no-network text, but presumably we can't make it too verbose or it'll get clipped or truncated.