[Spice-devel] [PATCH 1/2] authentication: Handle failed SASL authentication separately
Christophe Fergeau
cfergeau at redhat.com
Wed Feb 15 15:00:22 UTC 2017
On Wed, Feb 15, 2017 at 02:56:36PM +0200, Snir Sheriber wrote:
> Hi,
> yes, the idea is to present errors which are generated on the sasl server
> side, in the err window on the user/sasl-client side (only errors- without
> sasl_ok, continue , interact) by sending the error number to the client and
> print the relevant string (i'll send these patches again with another one
> that do this later so it will be clearer )
> imho, this would be better then the current err msg that is being printed..
I think there are 2 separate issues here
1) you want to improve the error message which is presented to the user
2) you are saying that this error message should be the output of
sasl_error()
I'm all for 1), but we should have our own error messages, I don't think
we should directly show SASL error messages in the UI (though it's fine
with me to have them in a debug log).
Most of the error messages from sasl_errstring do not make sense to show to the
user (ie I don't understand half of them) apart from the few that you listed
already. The bigger problem is that these messages are untranslated.
const char *sasl_errstring(int saslerr,
const char *langlist __attribute__((unused)),
const char **outlang)
{
if (outlang) *outlang="en-us";
switch(saslerr)
{
case SASL_CONTINUE: return "another step is needed in authentication";
case SASL_OK: return "successful result";
case SASL_FAIL: return "generic failure";
case SASL_NOMEM: return "no memory available";
case SASL_BUFOVER: return "overflowed buffer";
case SASL_NOMECH: return "no mechanism available";
case SASL_BADPROT: return "bad protocol / cancel";
case SASL_NOTDONE: return "can't request information until later in exchange";
case SASL_BADPARAM: return "invalid parameter supplied";
case SASL_TRYAGAIN: return "transient failure (e.g., weak key)";
case SASL_BADMAC: return "integrity check failed";
case SASL_NOTINIT: return "SASL library is not initialized";
/* -- client only codes -- */
case SASL_INTERACT: return "needs user interaction";
case SASL_BADSERV: return "server failed mutual authentication step";
case SASL_WRONGMECH: return "mechanism doesn't support requested feature";
/* -- server only codes -- */
case SASL_BADAUTH: return "authentication failure";
case SASL_NOAUTHZ: return "authorization failure";
case SASL_TOOWEAK: return "mechanism too weak for this user";
case SASL_ENCRYPT: return "encryption needed to use mechanism";
case SASL_TRANS: return "One time use of a plaintext password will enable requested mechanism for user";
case SASL_EXPIRED: return "passphrase expired, has to be reset";
case SASL_DISABLED: return "account disabled";
case SASL_NOUSER: return "user not found";
case SASL_BADVERS: return "version mismatch with plug-in";
case SASL_UNAVAIL: return "remote authentication server unavailable";
case SASL_NOVERIFY: return "user exists, but no verifier for user";
case SASL_PWLOCK: return "passphrase locked";
case SASL_NOCHANGE: return "requested change was not needed";
case SASL_WEAKPASS: return "passphrase is too weak for security policy";
case SASL_NOUSERPASS: return "user supplied passwords are not permitted";
case SASL_NEED_OLD_PASSWD: return "sasl_setpass needs old password in order "
to perform password change";
case SASL_CONSTRAINT_VIOLAT: return "sasl_setpass can't store a property because "
"of a constraint violation";
case SASL_BADBINDING: return "channel binding failure";
case SASL_CONFIGERR: return "error when parsing configuration file";
default: return "undefined error!";
}
}
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20170215/fd0f48cb/attachment.sig>
More information about the Spice-devel
mailing list