Ticket #612 (closed defect: fixed)

Opened 11 years ago

Last modified 9 years ago

adding "@mit.edu" on the login screen gives "Cannot contact the Athena login servers"

Reported by: geofft Owned by:
Priority: low Milestone: The Distant Future
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

I just met someone who was slightly confused about his password, and on getting the incorrect-password error, decided to try appending "@mit.edu" to his username at the login screen. Of course, pam_krb5 interpreted this as looking for a "mit.edu" Kerberos realm (as opposed to ATHENA.MIT.EDU) and happily returned authinfo_unavail, because no such realm in fact exists, which triggered our pam_echo issue.net.no-network informing him that the "Athena login servers" are down. Now, no matter what password he tried, he got the same error, and so he tried switching computer to computer assuming they were all offline.

UI-wise, we should really have done something better here.

Change History

comment:1 Changed 11 years ago by jdreed

What are our options, UI-wise? New-GDM is too cool for skinning, otherwise I'd suggest that we simply add the static text "@mit.edu" to the right of the username field.

Short of writing another PAM module that checks for the @ character and yells at the user, and putting it early enough in the stack, what else can we do?

I mean, we could also change the issue.net.no-network text, but presumably we can't make it too verbose or it'll get clipped or truncated.

comment:2 Changed 11 years ago by geofft

So I tried this patch:

+       [success=1 default=ignore]      pam_succeed_if.so user !~ @
+       [default=die] pam_echo.so file=/etc/issue.net.at_sign
        [success=end authinfo_unavail=ignore default=die]       pam_krb5.so minimum_uid=1
        [default=die] pam_echo.so file=/etc/issue.net.no_network

which works, except that for some reason if you specify a nonexistent username, you get the at-sign error. The full resulting pam-auth-update-generated common-auth file is

auth    [success=6 default=ignore]      pam_unix.so nullok_secure
auth    [success=5 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    [success=1 default=ignore]      pam_succeed_if.so user !~ @
auth    [default=die] pam_echo.so file=/etc/issue.net.at_sign
auth    [success=2 authinfo_unavail=ignore default=die] pam_krb5.so minimum_uid=1 use_first_pass
auth    [default=die] pam_echo.so file=/etc/issue.net.no_network
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so

I've been staring at this to figure out how an unknown username would ever get you to issue.net.at_sign, but I can't see it. Anyone else?

comment:3 Changed 9 years ago by jdreed

  • Status changed from new to closed
  • Resolution set to wontfix

Fixed for lightdm, in that "getent joeuser@… passwd" returns an error. I really don't want to add yet another PAM module for a problem that happens maybe once a year.

comment:4 Changed 9 years ago by jdreed

  • Status changed from closed to reopened
  • Resolution wontfix deleted

comment:5 Changed 9 years ago by jdreed

  • Status changed from reopened to committed

Fine, I lied. Fixed in r25542. Verbosity increased by only 3 characters.

comment:6 Changed 9 years ago by jdreed

  • Status changed from committed to development

pam-config 1.19

comment:7 Changed 9 years ago by jdreed

  • Status changed from development to proposed

comment:8 Changed 9 years ago by jdreed

  • Status changed from proposed to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.