[Bug 1822736] Re: Passwords longer than 255 characters break authentication

Chris Guiver guiverc+ubuntu at gmail.com
Wed Apr 3 01:57:24 UTC 2019 

Booted up a Ubuntu 14.04 LTS box & followed test procedure.

Same result - steps followed fine until I once 256 char password was
entered, I was unable to `sudo whoami` (password was not accepted)


OS: Ubuntu 14.04.6 LTS x86_64 
Host: HP Compaq dc7700 Small Form Factor 
Kernel: 3.13.0-168-generic 
Uptime: 22 mins 
Packages: 2377 (dpkg) 
Shell: bash 4.3.11 
Theme: Ambiant-MATE [GTK3] 
Icons: Ambiant-MATE [GTK3] 
Terminal: gnome-terminal 
CPU: Intel Core 2 6320 (2) @ 1.867GHz 
GPU: NVIDIA Quadro NVS 290 
Memory: 1071MiB / 4896MiB 

test at dc7700ub:~$ apt-cache policy libpam0g
libpam0g:
  Installed: 1.1.8-1ubuntu2.2
  Candidate: 1.1.8-1ubuntu2.2
  Version table:
 *** 1.1.8-1ubuntu2.2 0
        500 http://ftp.iinet.net.au/pub/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.8-1ubuntu2 0
        500 http://ftp.iinet.net.au/pub/ubuntu/ trusty/main amd64 Packages

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1822736

Title:
  Passwords longer than 255 characters break authentication

Status in pam package in Ubuntu:
  Confirmed

Bug description:
  DISCUSSION

  When a password longer than 255 characters is set for any user
  account, this user will become unable to authenticate when running
  'sudo' or 'passwd'.

  IMPACT

  This affects 18.04.2 systems, whether they were installed using
  Desktop (ubiquity) or Server (subiquity) installers. It may also
  affect other releases - this is yet untested.

  Tagged 'security' since these utilities then deny service to this
  user.

  REPRODUCTION

  # Add user 'test' with password 'testtest'
  sudo adduser --gecos '' test

  # Add user 'test' to the 'sudo' group
  sudo adduser test sudo

  # Become user 'test'
  sudo -iu test

  # Verify user 'test' can run commands via sudo
  sudo whoami

  # Change password of 'test' to this 255 character long password: 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345
  passwd

  # Verify user 'test' can run commands via sudo with the new password set
  sudo -k
  sudo whoami    # should report "root"

  # Change password of 'test' to 'testtest':
  passwd

  # Verify user 'test' can run commands via sudo with the new password set
  sudo -k
  sudo whoami    # should report "root"

  # Change password of 'test' to this 256 character long password: 1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456
  passwd

  # Verify user 'test' can run commands via sudo with the new password set
  sudo -k
  sudo whoami    # should report "root"

  # This authentication fails, as sudo does not accept the 256 character password.
  # Attempting to change this password to a different value also fails:
  passwd

  # Effectively, user 'test' is now unable to use sudo, or to change
  their password.

  # The 'login' command, run by root, does, however, still enable user 'test' to login using the newly set 256 character password.
  # At the same time, a different restricted user who is a member of the 'sudo' group can still set a new password for 'test' (after authenticating to sudo with their own password) by supplying the current 256 character password using:
  sudo -u test passwd

  # Finally, to clean up
  sudo deluser --remove-home test

  ADDITIONAL OBSERVATIONS

  * A root-initiated 'login' command still allows this user to authenticate.
  * A different restricted user who is a member of the 'sudo' group can still set a new password for for this users' account (after authenticating to sudo with their own password) by supplying the >=256 character password

  CREDIT

  This was originally reported by 'Fieldy', I just reproduced it / filed
  this bug report.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: libpam0g 1.1.8-3.6ubuntu2.18.04.1
  ProcVersionSignature: Ubuntu 4.18.0-16.17~18.04.1-generic 4.18.20
  Uname: Linux 4.18.0-16-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.6
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Tue Apr  2 09:39:39 2019
  SourcePackage: pam
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1822736/+subscriptions

More information about the foundations-bugs mailing list