As a krb5 user at MIT with a SAM2/Duo required account, I want to have distinct error messages for "wrong password" and "Duo error" so I know what actions I should take

Description

At MIT, users with username/root principals often have SAM2 preauth required for those principals. The SAM2 Duo preauth plugin currently deployed doesn't provide good feedback when the password is incorrect.

e.g.,

1 2 3 4 5 6 Password for tlyu/root@ATHENA.MIT.EDU: SAM Authentication Challenge from authentication server Duo login: Passcode/option or press return for options: SAM Authentication Challenge from authentication server

show what happens with an incorrect password.

I get the following for a correct password.

1 2 3 4 5 6 7 Password for tlyu/root@ATHENA.MIT.EDU: SAM Authentication Challenge from authentication server Duo login: Passcode/option or press return for options: SAM Authentication Challenge from authentication server 1. Duo Push to XXX-XXX-####:

We should either document the existing behavior in the KB, or improve the error reporting behavior. Arguably giving more direct feedback about which factor failed makes it easier to guess passwords, but that is a usability tradeoff which we should consciously make and document.

Status

Assignee

Unassigned

Reporter

Tom Yu

Labels

None

Priority

Normal