Uploaded image for project: 'I&AM Kerberos'
  1. KRB-47

As a krb5 user at MIT with a SAM2/Duo required account, I want to have distinct error messages for "wrong password" and "Duo error" so I know what actions I should take

    Details

    • Type: Story
    • Status: To Do (View workflow)
    • Priority: Normal
    • Resolution: Unresolved
    • Affects versions: None
    • Fix versions: None
    • Components: None
    • Labels:
      None
    • Sprint:

      Description

      At MIT, users with username/root principals often have SAM2 preauth required for those principals. The SAM2 Duo preauth plugin currently deployed doesn't provide good feedback when the password is incorrect.

      e.g.,

      Password for tlyu/root@ATHENA.MIT.EDU: 
      SAM Authentication
      Challenge from authentication server
      Duo login: Passcode/option or press return for options: 
      SAM Authentication
      Challenge from authentication server
      

      show what happens with an incorrect password.

      I get the following for a correct password.

      Password for tlyu/root@ATHENA.MIT.EDU: 
      SAM Authentication
      Challenge from authentication server
      Duo login: Passcode/option or press return for options: 
      SAM Authentication
      Challenge from authentication server
       1. Duo Push to XXX-XXX-####: 
      

      We should either document the existing behavior in the KB, or improve the error reporting behavior. Arguably giving more direct feedback about which factor failed makes it easier to guess passwords, but that is a usability tradeoff which we should consciously make and document.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              tlyu Tom Yu (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Who's Looking?