tids prints bad error on wrong gss name
Bug #1325953 reported by
Sam Hartman
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Moonshot Trust-Router |
Fix Released
|
High
|
Jennifer Richards |
Bug Description
When the gss name specified on the command line does not match the gss name in the incoming request tids_auth_handler returns 1 without printing an error message.
The return value is treated as an errno or com_err value.
Recommendations:
* Print a specific authorization failure error
* return the appropriate errno value for authorization denied.
Changed in moonshot-tr: | |
status: | New → Confirmed |
Changed in moonshot-tr: | |
assignee: | nobody → Jennifer Richards (jennifer-k) |
Changed in moonshot-tr: | |
status: | Confirmed → In Progress |
To post a comment you must log in.
I have a patch for this, using EACCES as the error code. It results in output like:
Auth denied for incorrect gss-name ('<email address hidden>' requested, expected '<email address hidden>'). connection: Error from gsscon_ passive_ authenticate( ), rc = 13. connection: Error authorizing TID Server connection.
tids_auth_cb: client '<email address hidden>' denied authorization.
Authenticate failed: Permission denied (err = 13)
tids_auth_
tids_handle_
If there's no objection, I'll commit this.