As a krb5 user at MIT with a SAM2/Duo required account, I want to have distinct error messages for "wrong password" and "Duo error" so I know what actions I should take

Description

At MIT, users with username/root principals often have SAM2 preauth required for those principals. The SAM2 Duo preauth plugin currently deployed doesn't provide good feedback when the password is incorrect.

e.g.,

show what happens with an incorrect password.

I get the following for a correct password.

We should either document the existing behavior in the KB, or improve the error reporting behavior. Arguably giving more direct feedback about which factor failed makes it easier to guess passwords, but that is a usability tradeoff which we should consciously make and document.

Assignee

Unassigned

Reporter

Tom Yu

Labels

None

Priority

Normal
Configure