Large PAM responses are not returned to the client

[sssd-bot]

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/432

• Created at 2010-03-22 19:06:19 by sgallagh
• Closed as Fixed
• Assigned to sgallagh

---

I attempted to perform a password change against a Kerberos KDC that had certain password restrictions in place. It returned the following message (comprised of 295 characters) from the KDC:

Password change rejected: New password does not have enough character classes.
The character classes are:
	- lower-case letters,
	- upper-case letters,
	- digits,
	- punctuation, and
	- all other characters (e.g., control characters).
Please choose a password with at least 4 character classes.

This message was not reported to me at the command prompt. Instead I received only:

passwd: Authentication token manipulation error

Looking into the code, the source of the problem is that the response messages have a fixed size of 255 characters (defined by MAX_CHILD_MSG_SIZE). If a component of the message sent into pack_response_packet() would cause the message to exceed MAX_CHILD_MSG_SIZE, it is dropped. This means that we will still return the appropriate error code, but no message to tell the user why it failed.

SSSD should handle an arbitrary length response message, rather than preallocating the response buffer. It is very important that we not deprive the user of any advisory information.

Comments

---

Comment from dpal at 2010-03-23 13:49:19

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.1.1

---

Comment from sgallagh at 2010-03-23 14:10:41

Fields changed

owner: sbose => sgallagh
status: new => assigned

---

Comment from sgallagh at 2010-03-25 21:04:16

Fixed by f539717

fixedin: => 1.1.1
resolution: => fixed
status: assigned => closed

---

Comment from dpal at 2012-01-19 02:42:38

Fields changed

rhbz: => 0

---

Comment from sgallagh at 2017-02-24 14:54:08

Metadata Update from @sgallagh:

• Issue assigned to sgallagh
• Issue set to the milestone: SSSD 1.1.1