freeipa/client
Alexander Bokovoy dbf5df4a66 CVE-2020-1722: prevent use of too long passwords
NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:

https://pages.nist.gov/800-63-3/sp800-63b.html#appA

	Users should be encouraged to make their passwords as lengthy as they
	want, within reason. Since the size of a hashed password is independent
	of its length, there is no reason not to permit the use of lengthy
	passwords (or pass phrases) if the user wishes. Extremely long passwords
	(perhaps megabytes in length) could conceivably require excessive
	processing time to hash, so it is reasonable to have some limit.

FreeIPA already applied 256 characters limit for non-random passwords
set through ipa-getkeytab tool. The limit was not, however, enforced in
other places.

MIT Kerberos limits the length of the password to 1024 characters in its
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
differentiate between a password larger than 1024 and a password of 1024
characters. As a result, longer passwords are silently cut off.

To prevent silent cut off for user passwords, use limit of 1000
characters.

Thus, this patch enforces common limit of 1000 characters everywhere:
 - LDAP-based password changes
   - LDAP password change control
   - LDAP ADD and MOD operations on clear-text userPassword
   - Keytab setting with ipa-getkeytab
 - Kerberos password setting and changing

Fixes: https://pagure.io/freeipa/issue/8268

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2020-04-14 12:36:01 +03:00
..
man CVE-2020-1722: prevent use of too long passwords 2020-04-14 12:36:01 +03:00
share Move client templates to separate directory 2018-06-05 16:34:27 -04:00
sysconfig Increase default debug level of certmonger 2019-06-24 10:00:37 +02:00
config.c Fix ressource leak in client/config.c get_config_entry 2018-10-23 16:45:22 +02:00
ipa-certupdate.in Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
ipa-client-automount.in Introduce minimal ipa-client-automount.in and ipactl.in 2019-06-28 10:53:07 +02:00
ipa-client-common.c Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts) 2016-01-27 12:09:02 +01:00
ipa-client-common.h Migrate from #ifndef guards to #pragma once 2016-05-29 14:04:45 +02:00
ipa-client-install.in Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
ipa-client-samba.in ipa-client-samba: a tool to configure Samba domain member on IPA client 2019-06-29 11:00:28 +03:00
ipa-getkeytab.c CVE-2020-1722: prevent use of too long passwords 2020-04-14 12:36:01 +03:00
ipa-join.c Print LDAP diagnostic messages on error 2020-01-17 15:47:00 +01:00
ipa-rmkeytab.c ipa-rmkeytab, ipa-join: don't fail if init of gettext failed 2016-06-27 12:34:18 +02:00
Makefile.am ipa-client-samba: a tool to configure Samba domain member on IPA client 2019-06-29 11:00:28 +03:00
version.m4.in Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts) 2016-01-27 12:09:02 +01:00