You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I attempted to perform a password change against a Kerberos KDC that had certain password restrictions in place. It returned the following message (comprised of 295 characters) from the KDC:
Password change rejected: New password does not have enough character classes.
The character classes are:
- lower-case letters,
- upper-case letters,
- digits,
- punctuation, and
- all other characters (e.g., control characters).
Please choose a password with at least 4 character classes.
This message was not reported to me at the command prompt. Instead I received only:
passwd: Authentication token manipulation error
Looking into the code, the source of the problem is that the response messages have a fixed size of 255 characters (defined by MAX_CHILD_MSG_SIZE). If a component of the message sent into pack_response_packet() would cause the message to exceed MAX_CHILD_MSG_SIZE, it is dropped. This means that we will still return the appropriate error code, but no message to tell the user why it failed.
SSSD should handle an arbitrary length response message, rather than preallocating the response buffer. It is very important that we not deprive the user of any advisory information.
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/432
I attempted to perform a password change against a Kerberos KDC that had certain password restrictions in place. It returned the following message (comprised of 295 characters) from the KDC:
This message was not reported to me at the command prompt. Instead I received only:
Looking into the code, the source of the problem is that the response messages have a fixed size of 255 characters (defined by MAX_CHILD_MSG_SIZE). If a component of the message sent into pack_response_packet() would cause the message to exceed MAX_CHILD_MSG_SIZE, it is dropped. This means that we will still return the appropriate error code, but no message to tell the user why it failed.
SSSD should handle an arbitrary length response message, rather than preallocating the response buffer. It is very important that we not deprive the user of any advisory information.
Comments
Comment from dpal at 2010-03-23 13:49:19
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.1.1
Comment from sgallagh at 2010-03-23 14:10:41
Fields changed
owner: sbose => sgallagh
status: new => assigned
Comment from sgallagh at 2010-03-25 21:04:16
Fixed by f539717
fixedin: => 1.1.1
resolution: => fixed
status: assigned => closed
Comment from dpal at 2012-01-19 02:42:38
Fields changed
rhbz: => 0
Comment from sgallagh at 2017-02-24 14:54:08
Metadata Update from @sgallagh:
The text was updated successfully, but these errors were encountered: