On Sun, Sep 09, 2012 at 04:11:07PM +0200, Joschi Brauchle wrote:
Hello Jakub,
I have prepared a patch (see Novell bugzilla) that adds a check for
the "Decrypt integrity check failed" Kerberos error code to the
switch statement, which then returns PAM_AUTH_ERR.
I tested that patch with OpenSUSE12.2 + KDM as well as SSH password
based login and can confirm that the misleading error message goes
away (for SSH there was only a misleading syslog error but not for
the user).
However, the mentioned patch only changes the PAM return code when
using Kerberos with a password. I am not sure if there may be other
spots in the krb5_child that may also need fixing, as there are
other possibilities to use Kerberos auth (forwarded TGT, keytab, and
so on).
Best regards,
Joschi Brauchle
Yep, my patch added the same handler as your did, just inside a new
function that is also reused during password change.
Thanks again!