Bug 49740 - Denial of Service: pam_krb5 authentication hangs in hashsum generation
Denial of Service: pam_krb5 authentication hangs in hashsum generation
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Kerberos
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-1-errata
Assigned To: Florian Best
Johannes Keiser
https://github.com/rra/pam-krb5/issue...
:
Depends on:
Blocks: 44602
  Show dependency treegraph
 
Reported: 2019-06-27 16:52 CEST by Florian Best
Modified: 2021-06-23 07:29 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2019-06-27 16:52:32 CEST
https://github.com/rra/pam-krb5/issues/13

pam_krb5 hangs during the hashsum generation of the given password.
This causes python-pam processes to hang forever, when someone logs in via a very long password.
Comment 1 Florian Best univentionstaff 2019-07-12 18:22:22 CEST
Applied attachment 10087 [details] in the scope fbest:

Successful build
Package: libpam-krb5
Version: 4.7-4A~4.4.0.201907121744
Branch: ucs_4.4-0
Scope: fbest
Comment 2 Florian Best univentionstaff 2019-07-22 19:14:15 CEST
Added a different patch, which strips the password at 1024 characters. I found in MIT kerberos, that it restricts passwords at 1024 characters, so I think this is better than 512. We use heimdal kerberos, where I didn't find a limit on the first view.

Patch: svn r18624

libpam-krb5.yaml
73ee35d0e2ec | YAML Bug #49740

Package: libpam-krb5
Version: 4.7-4A~4.4.0.201907221908
Branch: ucs_4.4-0
Scope: errata4.4-1
Comment 3 Johannes Keiser univentionstaff 2019-07-30 09:16:57 CEST
OK: login with password > 1024 chars not possible
OK: pam_krb5 does not hang anymore for big passwords
OK: yaml
-> verified
Comment 4 Arvid Requate univentionstaff 2019-07-31 13:58:42 CEST
<http://errata.software-univention.de/ucs/4.4/204.html>
Comment 5 Florian Best univentionstaff 2020-05-08 13:18:01 CEST
A patch for this meanwhile made it into pam-krb5:
https://github.com/rra/pam-krb5/commit/65839ecb9ab8b7ce886d44806f4d93d3e6080584