Univention Bugzilla – Bug 49740
Denial of Service: pam_krb5 authentication hangs in hashsum generation
Last modified: 2021-06-23 07:29:06 CEST
https://github.com/rra/pam-krb5/issues/13 pam_krb5 hangs during the hashsum generation of the given password. This causes python-pam processes to hang forever, when someone logs in via a very long password.
Applied attachment 10087 [details] in the scope fbest: Successful build Package: libpam-krb5 Version: 4.7-4A~4.4.0.201907121744 Branch: ucs_4.4-0 Scope: fbest
Added a different patch, which strips the password at 1024 characters. I found in MIT kerberos, that it restricts passwords at 1024 characters, so I think this is better than 512. We use heimdal kerberos, where I didn't find a limit on the first view. Patch: svn r18624 libpam-krb5.yaml 73ee35d0e2ec | YAML Bug #49740 Package: libpam-krb5 Version: 4.7-4A~4.4.0.201907221908 Branch: ucs_4.4-0 Scope: errata4.4-1
OK: login with password > 1024 chars not possible OK: pam_krb5 does not hang anymore for big passwords OK: yaml -> verified
<http://errata.software-univention.de/ucs/4.4/204.html>
A patch for this meanwhile made it into pam-krb5: https://github.com/rra/pam-krb5/commit/65839ecb9ab8b7ce886d44806f4d93d3e6080584