strange behaviour when password longer than 512 bytes

Brian Mathis brian.mathis+pam at betteradmin.com
Fri Jun 3 19:47:43 UTC 2016 

Any time you paste into a terminal window and a program stops accepting
input, the remaining characters are passed to the next shell prompt.  This
is typical behavior for any situation where you are pasting something from
the clipboard, as a paste is really seen by the program as if you are just
typing really fast.  The passwd program is no longer accepting input after
512 bytes, so you are seeing this behavior.


~ Brian Mathis
@orev


On Fri, Jun 3, 2016 at 11:43 AM, Pablo Hinojosa Nava <pablohn6 at gmail.com>
wrote:

> I have seen a strange behaviour when I try to set a password longer than
> 512 bytes.
>
> I guess because of CVE-2015-3238 the limit of the password was set to 512
> bytes. That is why if I set a password of more than 512 bytes only first
> 512 are saved (maybe in this line
> <https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_unix/pam_unix_passwd.c#n313>).
> The problem is the remaining characters. Using passwd, the rest of the
> characters go outside the command and are interpreted by next command
> (usually another prompt). That is why if you set, for example, this
> password:
>
> ThisisalooooooooooooongpasswordAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm0123456789012345678901234567890CVEecho
>> "Hello"
>>
>
> that is, 512 random characters and then echo "Hello", passwd set the
> password (only 512 characters) BUT the remaining characters are executed as
> a command. So with that password, passwd will update the password and then
> execute
>
> echo "Hello"
>>
>
>
> [root at localhost ~]# passwd username
>> Changing password for user username.
>> New password:
>> Retype new password:
>> passwd: all authentication tokens updated successfully.
>> [root at localhost ~]# echo "Hello"
>> Hello
>>
>
> Why the remaining characters are executed? Why do not drop them? How can I
> manage them to prevent being interpreted by next command?
>
> Cheers,
>
> Pablo Hinojosa.    CC58B86B
> <https://pgp.mit.edu/pks/lookup?op=get&search=0x947319E2CC58B86B>
> PabloHinojosa.is
> <http://pablohinojosa.is/this?utm_source=firma&utm_medium=correo&utm_campaign=firma>
>
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20160603/b1424d59/attachment.htm>

More information about the Pam-list mailing list