freeipa/ipatests
Alexander Bokovoy dbf5df4a66 CVE-2020-1722: prevent use of too long passwords
NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:

https://pages.nist.gov/800-63-3/sp800-63b.html#appA

	Users should be encouraged to make their passwords as lengthy as they
	want, within reason. Since the size of a hashed password is independent
	of its length, there is no reason not to permit the use of lengthy
	passwords (or pass phrases) if the user wishes. Extremely long passwords
	(perhaps megabytes in length) could conceivably require excessive
	processing time to hash, so it is reasonable to have some limit.

FreeIPA already applied 256 characters limit for non-random passwords
set through ipa-getkeytab tool. The limit was not, however, enforced in
other places.

MIT Kerberos limits the length of the password to 1024 characters in its
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
differentiate between a password larger than 1024 and a password of 1024
characters. As a result, longer passwords are silently cut off.

To prevent silent cut off for user passwords, use limit of 1000
characters.

Thus, this patch enforces common limit of 1000 characters everywhere:
 - LDAP-based password changes
   - LDAP password change control
   - LDAP ADD and MOD operations on clear-text userPassword
   - Keytab setting with ipa-getkeytab
 - Kerberos password setting and changing

Fixes: https://pagure.io/freeipa/issue/8268

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2020-04-14 12:36:01 +03:00
..
azure Azure: Gather coredumps 2020-04-08 11:27:45 +03:00
man Simplify ipa-run-tests script 2019-07-16 13:23:21 +03:00
prci_definitions ipatests: increase test_ipahealthcheck timeout 2020-04-09 09:08:57 +03:00
pytest_ipa ipatests: Mark firewalld commands as no-op on non-firewalld distros 2020-04-08 16:33:35 +02:00
test_cmdline pytest: Migrate unittest/nose to Pytest fixtures 2020-02-12 18:08:32 +02:00
test_install pytest: Migrate unittest/nose to Pytest fixtures 2020-02-12 18:08:32 +02:00
test_integration CVE-2020-1722: prevent use of too long passwords 2020-04-14 12:36:01 +03:00
test_ipaclient Fix Pytest4.x warning about message 2019-06-19 19:20:14 +10:00
test_ipalib pylint: Synchronize pylint plugin to ipatests code 2020-02-12 18:08:32 +02:00
test_ipaplatform Don't configure KEYRING ccache in containers 2019-01-18 11:33:11 +01:00
test_ipapython pylint: Synchronize pylint plugin to ipatests code 2020-02-12 18:08:32 +02:00
test_ipaserver ipatests: Properly kill gpg-agent 2020-02-12 18:08:32 +02:00
test_ipatests_plugins ipatests: Allow zero-length arguments 2020-02-14 09:29:20 +02:00
test_webui pytest: Migrate unittest/nose to Pytest fixtures 2020-02-12 18:08:32 +02:00
test_xmlrpc Allow rename of a host group 2020-03-31 09:21:37 +03:00
__init__.py Make an ipa-tests package 2013-06-17 19:22:50 +02:00
conftest.py Azure: Allow to run integration tests 2020-02-25 18:02:12 +02:00
create_external_ca.py Test external CA with DNS name constraints 2019-08-06 12:39:46 +02:00
data.py Fix more bytes/unicode issues 2015-10-22 18:34:46 +02:00
i18n.py Sprinkle raw strings across the code base 2018-09-27 10:23:03 +02:00
ipa-run-tests ipatests: Allow zero-length arguments 2020-02-14 09:29:20 +02:00
ipa-test-config Rename pytest_plugins to ipatests.pytest_ipa 2018-08-02 17:07:43 +02:00
ipa-test-task Rename pytest_plugins to ipatests.pytest_ipa 2018-08-02 17:07:43 +02:00
Makefile.am Build: fix distribution of static files for web UI 2016-11-09 13:08:32 +01:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Simplify ipa-run-tests script 2019-07-16 13:23:21 +03:00
test_util.py pylint: Synchronize pylint plugin to ipatests code 2020-02-12 18:08:32 +02:00
util.py ipatests: add context manager for declaring part of test as xfail 2020-04-03 11:15:57 +02:00