Bug 52575 - machine/password/length of 28 or larger causes core dump in univention.license
machine/password/length of 28 or larger causes core dump in univention.license
Status: NEW
Product: UCS
Classification: Unclassified
Component: General
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-01-11 18:59 CET by Arvid Requate
Modified: 2022-01-16 10:11 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Attachments
allow_maximum_password_length_256.patch (1.00 KB, patch)
2021-01-11 19:00 CET, Arvid Requate
Details | Diff
Patch suggestion, including default password lenght (8.30 KB, patch)
2022-01-16 10:11 CET, Gino Harlos
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2021-01-11 18:59:29 CET
Setting up a UCS system with a machine/password/length of 28 characters or more causes a core dump in univention.license, making the UMC modules unusable.

root@dc:/# python
Python 2.7.13 (default, Aug 22 2020, 10:03:02) 
[GCC 6.3.0 20170516] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import univention.license
>>> univention.license.select("admin")
03.12.20 13:36:47.487  DEBUG_INIT
03.12.20 13:36:47.517  LDAP        ( ERROR   ) : ldap_simple_bind: Invalid credentials
python: search.c:95: ldap_pvt_search: Assertion `ld != NULL' failed.
Aborted (core dumped)

In this case it was a primary/master and ldap.secret exceeded the hard coded limit of

#define _UNIVENTION_LDAP_SECRET_LEN_MAX 27

in univention-policy/lib/ldap.c.

It would be good to allow longer passwords for critical accounts.
Comment 1 Arvid Requate univentionstaff 2021-01-11 19:00:09 CET
Created attachment 10589 [details]
allow_maximum_password_length_256.patch

Patch proposal
Comment 2 Philipp Hahn univentionstaff 2021-01-13 08:05:55 CET
Windows uses 120 UTF-16 character = 240 bytes, so 256 is okay from that perspective.

Until Bug #31281 (UCS-3.2) it was limited to 8 characters, now it is:
base/univention-lib/shell/base.sh:
> create_machine_password () {
> 	local length compl
> 	length="$(/usr/sbin/univention-config-registry get machine/password/length)"
> 	compl="$(/usr/sbin/univention-config-registry get machine/password/complexity)"
> 	pwgen -1 -"${compl:-scn}" "${length:-20}" | tr -d '\n'
> }

`-s` = `--secure` → for machine usage
`-c` = `--capitalize` → at least on capital letter
`-n` = `--numerals` → also digits

(2*26+10)^20 = 704.423.425.546.998.022.968.330.264.616.370.176 =~ 7e35
is still enough for y2021.
Comment 3 Gino Harlos 2022-01-16 10:11:17 CET
Created attachment 10905 [details]
Patch suggestion, including default password lenght

I think it's time to increase the default password length to 32 or even 64. We have arrived in 2022 and as quickly as a new container comes, it also goes, or is simply forgotten.
I hope that I found all digits of the default password length.

Could also be something for the UCS security guide? ( https://forge.univention.org/bugzilla/show_bug.cgi?id=37877 )