[Spice-devel] [PATCH 1/2] authentication: Handle failed SASL authentication separately

Snir Sheriber ssheribe at redhat.com
Wed Feb 15 16:20:55 UTC 2017 

Hi,

Most of them will never show up, and if they will, it always starts with 
"Unable to authenticate" so i thought it's good enough , but no problem, 
i can show the user only the relevant ones and log the others (or to 
ignore them :] )


On 02/15/2017 05:00 PM, Christophe Fergeau wrote:
> On Wed, Feb 15, 2017 at 02:56:36PM +0200, Snir Sheriber wrote:
>> Hi,
>> yes, the idea is to present errors which are generated on the sasl server
>> side, in the err window on the user/sasl-client side (only errors- without
>> sasl_ok, continue , interact) by sending the error number to the client and
>> print the relevant string (i'll send these patches again with another one
>> that do this later so it will be clearer )
>> imho, this would be better then the current err msg that is being printed..
> I think there are 2 separate issues here
> 1) you want to improve the error message which is presented to the user
> 2) you are saying that this error message should be the output of
> sasl_error()
>
> I'm all for 1), but we should have our own error messages, I don't think
> we should directly show SASL error messages in the UI (though it's fine
> with me to have them in a debug log).
> Most of the error messages from sasl_errstring do not make sense to show to the
> user (ie I don't understand half of them) apart from the few that you listed
> already. The bigger problem is that these messages are untranslated.
>
> const char *sasl_errstring(int saslerr,
> 			   const char *langlist __attribute__((unused)),
> 			   const char **outlang)
> {
>    if (outlang) *outlang="en-us";
>
>    switch(saslerr)
>      {
>      case SASL_CONTINUE: return "another step is needed in authentication";
>      case SASL_OK:       return "successful result";
>      case SASL_FAIL:     return "generic failure";
>      case SASL_NOMEM:    return "no memory available";
>      case SASL_BUFOVER:  return "overflowed buffer";
>      case SASL_NOMECH:   return "no mechanism available";
>      case SASL_BADPROT:  return "bad protocol / cancel";
>      case SASL_NOTDONE:  return "can't request information until later in exchange";
>      case SASL_BADPARAM: return "invalid parameter supplied";
>      case SASL_TRYAGAIN: return "transient failure (e.g., weak key)";
>      case SASL_BADMAC:   return "integrity check failed";
>      case SASL_NOTINIT:  return "SASL library is not initialized";
>                               /* -- client only codes -- */
>      case SASL_INTERACT:   return "needs user interaction";
>      case SASL_BADSERV:    return "server failed mutual authentication step";
>      case SASL_WRONGMECH:  return "mechanism doesn't support requested feature";
>                               /* -- server only codes -- */
>      case SASL_BADAUTH:    return "authentication failure";
>      case SASL_NOAUTHZ:    return "authorization failure";
>      case SASL_TOOWEAK:    return "mechanism too weak for this user";
>      case SASL_ENCRYPT:    return "encryption needed to use mechanism";
>      case SASL_TRANS:      return "One time use of a plaintext password will enable requested mechanism for user";
>      case SASL_EXPIRED:    return "passphrase expired, has to be reset";
>      case SASL_DISABLED:   return "account disabled";
>      case SASL_NOUSER:     return "user not found";
>      case SASL_BADVERS:    return "version mismatch with plug-in";
>      case SASL_UNAVAIL:    return "remote authentication server unavailable";
>      case SASL_NOVERIFY:   return "user exists, but no verifier for user";
>      case SASL_PWLOCK:     return "passphrase locked";
>      case SASL_NOCHANGE:   return "requested change was not needed";
>      case SASL_WEAKPASS:   return "passphrase is too weak for security policy";
>      case SASL_NOUSERPASS: return "user supplied passwords are not permitted";
>      case SASL_NEED_OLD_PASSWD: return "sasl_setpass needs old password in order "
> 			       to perform password change";
>      case SASL_CONSTRAINT_VIOLAT: return "sasl_setpass can't store a property because "
> 				 "of a constraint violation";
>      case SASL_BADBINDING: return "channel binding failure";
>      case SASL_CONFIGERR:  return "error when parsing configuration file";
>
>      default:   return "undefined error!";
>      }
> }
>
> Christophe

More information about the Spice-devel mailing list