IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-28 01:41:14 -06:00
Code Issues Packages Projects Releases Wiki Activity
555f8a038d
freeipa/daemons/ipa-slapi-plugins
History
Alexander Bokovoy dbf5df4a66 CVE-2020-1722: prevent use of too long passwords 
NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:

https://pages.nist.gov/800-63-3/sp800-63b.html#appA

	Users should be encouraged to make their passwords as lengthy as they
	want, within reason. Since the size of a hashed password is independent
	of its length, there is no reason not to permit the use of lengthy
	passwords (or pass phrases) if the user wishes. Extremely long passwords
	(perhaps megabytes in length) could conceivably require excessive
	processing time to hash, so it is reasonable to have some limit.

FreeIPA already applied 256 characters limit for non-random passwords
set through ipa-getkeytab tool. The limit was not, however, enforced in
other places.

MIT Kerberos limits the length of the password to 1024 characters in its
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
differentiate between a password larger than 1024 and a password of 1024
characters. As a result, longer passwords are silently cut off.

To prevent silent cut off for user passwords, use limit of 1000
characters.

Thus, this patch enforces common limit of 1000 characters everywhere:
 - LDAP-based password changes
   - LDAP password change control
   - LDAP ADD and MOD operations on clear-text userPassword
   - Keytab setting with ipa-getkeytab
 - Kerberos password setting and changing

Fixes: https://pagure.io/freeipa/issue/8268

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2020-04-14 12:36:01 +03:00
..
common Migrate from #ifndef guards to #pragma once 2016-05-29 14:04:45 +02:00
ipa-cldap Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon 2018-10-23 16:45:22 +02:00
ipa-dns slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-enrollment slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-extdom-extop extdom: use sss_nss_*_timeout calls 2019-09-12 10:48:13 +03:00
ipa-lockout slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-modrdn slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-otp-counter slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-otp-lasttoken User must not be able to delete his last active otp token 2018-02-15 14:10:48 +01:00
ipa-pwd-extop CVE-2020-1722: prevent use of too long passwords 2020-04-14 12:36:01 +03:00
ipa-range-check slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-sidgen ipa-sidgen: make internal fetch_attr helper really internal 2018-12-14 14:04:02 +01:00
ipa-uuid 389-ds-base crashed as part of ipa-server-intall in ipa-uuid 2017-11-08 08:06:35 +01:00
ipa-version slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
ipa-winsync slapi plugins: fix CFLAGS 2017-03-15 08:55:12 +00:00
libotp Compile IPA modules with C11 extensions 2019-02-07 12:33:45 +01:00
topology Cleanup shebang and executable bit 2018-07-05 19:46:42 +02:00
Makefile.am Build: remove incorrect use of MAINTAINERCLEANFILES 2016-11-16 09:12:07 +01:00
README Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00

README