Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport][ipa-4-8] CVE-2020-1722: prevent use of too long passwords #4526

Closed
wants to merge 1 commit into from
Closed

[Backport][ipa-4-8] CVE-2020-1722: prevent use of too long passwords #4526

wants to merge 1 commit into from

Conversation

abbra
Copy link
Contributor

@abbra abbra commented Apr 14, 2020

This PR was opened automatically because PR #4525 was pushed to master and backport to ipa-4-8 is required.

@abbra
CVE-2020-1722: prevent use of too long passwords
3f6a19d 
NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:

https://pages.nist.gov/800-63-3/sp800-63b.html#appA

	Users should be encouraged to make their passwords as lengthy as they
	want, within reason. Since the size of a hashed password is independent
	of its length, there is no reason not to permit the use of lengthy
	passwords (or pass phrases) if the user wishes. Extremely long passwords
	(perhaps megabytes in length) could conceivably require excessive
	processing time to hash, so it is reasonable to have some limit.

FreeIPA already applied 256 characters limit for non-random passwords
set through ipa-getkeytab tool. The limit was not, however, enforced in
other places.

MIT Kerberos limits the length of the password to 1024 characters in its
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
differentiate between a password larger than 1024 and a password of 1024
characters. As a result, longer passwords are silently cut off.

To prevent silent cut off for user passwords, use limit of 1000
characters.

Thus, this patch enforces common limit of 1000 characters everywhere:
 - LDAP-based password changes
   - LDAP password change control
   - LDAP ADD and MOD operations on clear-text userPassword
   - Keytab setting with ipa-getkeytab
 - Kerberos password setting and changing

Fixes: https://pagure.io/freeipa/issue/8268

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <ssorce@redhat.com>
@abbra
Copy link
Contributor Author

abbra commented Apr 14, 2020

PR was ACKed automatically because this is backport of PR #4525. Wait for CI to finish before pushing. In case of questions or problems contact @abbra who is author of the original PR.

@abbra abbra added ack Pull Request approved, can be merged pushed Pull Request has already been pushed labels Apr 14, 2020
@abbra
Copy link
Contributor Author

abbra commented Apr 14, 2020

ipa-4-8:

@abbra abbra closed this Apr 14, 2020
@fcami fcami mentioned this pull request Feb 18, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
1 participant
@abbra