[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pam-list
Subject:    Re: strange behaviour when password longer than 512 bytes
From:       Brian Mathis <brian.mathis+pam () betteradmin ! com>
Date:       2016-06-03 19:47:43
Message-ID: CALKwpEwgYf2OzxGHDY53X7ixRXwQTS3oS6edUF-Ad_TiCxiFyA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Any time you paste into a terminal window and a program stops accepting
input, the remaining characters are passed to the next shell prompt.  This
is typical behavior for any situation where you are pasting something from
the clipboard, as a paste is really seen by the program as if you are just
typing really fast.  The passwd program is no longer accepting input after
512 bytes, so you are seeing this behavior.


~ Brian Mathis
@orev


On Fri, Jun 3, 2016 at 11:43 AM, Pablo Hinojosa Nava <pablohn6@gmail.com>
wrote:

> I have seen a strange behaviour when I try to set a password longer than
> 512 bytes.
> 
> I guess because of CVE-2015-3238 the limit of the password was set to 512
> bytes. That is why if I set a password of more than 512 bytes only first
> 512 are saved (maybe in this line
> <https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/pam_unix_passwd.c#n313>).
>  The problem is the remaining characters. Using passwd, the rest of the
> characters go outside the command and are interpreted by next command
> (usually another prompt). That is why if you set, for example, this
> password:
> 
> ThisisalooooooooooooongpasswordAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \
> AAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB \
> BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC \
> CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDD \
> DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDqwertyuiopasdfghjklzx \
> cvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm0123456789012345678901234567890CVEecho
> 
> > "Hello"
> > 
> 
> that is, 512 random characters and then echo "Hello", passwd set the
> password (only 512 characters) BUT the remaining characters are executed as
> a command. So with that password, passwd will update the password and then
> execute
> 
> echo "Hello"
> > 
> 
> 
> [root@localhost ~]# passwd username
> > Changing password for user username.
> > New password:
> > Retype new password:
> > passwd: all authentication tokens updated successfully.
> > [root@localhost ~]# echo "Hello"
> > Hello
> > 
> 
> Why the remaining characters are executed? Why do not drop them? How can I
> manage them to prevent being interpreted by next command?
> 
> Cheers,
> 
> Pablo Hinojosa.    CC58B86B
> <https://pgp.mit.edu/pks/lookup?op=get&search=0x947319E2CC58B86B>
> PabloHinojosa.is
> <http://pablohinojosa.is/this?utm_source=firma&utm_medium=correo&utm_campaign=firma>
>  
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
> 


[Attachment #5 (text/html)]

<div dir="ltr">Any time you paste into a terminal window and a program stops \
accepting input, the remaining characters are passed to the next shell prompt.   This \
is typical behavior for any situation where you are pasting something from the \
clipboard, as a paste is really seen by the program as if you are just typing really \
fast.   The passwd program is no longer accepting input after 512 bytes, so you are \
seeing this behavior.<br><br><div><div class="gmail_extra"><br clear="all"><div><div \
data-smartmail="gmail_signature"><div dir="ltr"><span><div><div dir="ltr"><div>~ \
Brian Mathis<br></div>@orev<br></div></div></span></div></div></div> <br><br><div \
class="gmail_quote">On Fri, Jun 3, 2016 at 11:43 AM, Pablo Hinojosa Nava <span \
dir="ltr">&lt;<a href="mailto:pablohn6@gmail.com" \
target="_blank">pablohn6@gmail.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div \
dir="ltr"><div><div>I have seen a strange behaviour when I try to set a password \
longer than 512 bytes.<br></div><br>I guess because of CVE-2015-3238 the limit of the \
password was set to 512 bytes. That is why if I set a password of more than 512 bytes \
only first 512 are saved (<a \
href="https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/pam_unix_passwd.c#n313" \
target="_blank">maybe in this line</a>). The problem is the remaining characters. \
Using passwd, the rest of the characters go outside the command and are interpreted \
by next command (usually another prompt). That is why if you set, for example, this \
password:<br><br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex" \
class="gmail_quote">ThisisalooooooooooooongpasswordAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB \
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCC \
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDD \
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDqwertyuiopa \
sdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm0123456789012345678901234567890CVEecho \
&quot;Hello&quot;<br></blockquote><br></div><div>that is, 512 random characters and \
then echo &quot;Hello&quot;, passwd set the password (only 512 characters) BUT the \
remaining characters are executed as a command. So with that password, passwd will \
update the password and then execute <br><br></div><div><blockquote style="margin:0px \
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" \
class="gmail_quote">echo \
&quot;Hello&quot;<br></blockquote><br><br></div><div><blockquote style="margin:0px \
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" \
class="gmail_quote">[root@localhost ~]# passwd username<br>Changing password for user \
username.<br>New password: <br>Retype new password: <br>passwd: all authentication \
tokens updated successfully.<br>[root@localhost ~]# echo \
&quot;Hello&quot;<br>Hello<br></blockquote><br></div><div>Why the remaining \
characters are executed? Why do not drop them? How can I manage them to prevent being \
interpreted by next command?<br></div><div><br></div><div>Cheers, <br></div><div><br \
clear="all"><div><div><div dir="ltr"><div>Pablo Hinojosa.      <a \
href="https://pgp.mit.edu/pks/lookup?op=get&amp;search=0x947319E2CC58B86B" \
style="font-size:12.8px" target="_blank">CC58B86B</a><br><a \
href="http://pablohinojosa.is/this?utm_source=firma&amp;utm_medium=correo&amp;utm_campaign=firma" \
target="_blank">PabloHinojosa.is</a></div><div><br></div><div><br></div></div></div></div>
 </div></div>
</div><br></div>
<br>_______________________________________________<br>
Pam-list mailing list<br>
<a href="mailto:Pam-list@redhat.com" target="_blank">Pam-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pam-list" rel="noreferrer" \
target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><br></blockquote></div><br></div></div></div>




_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic