Bug 52575 - machine/password/length of 28 or larger causes core dump in univention.license
Summary: machine/password/length of 28 or larger causes core dump in univention.license
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: General
Version: UCS 5.0
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 5.2-1-errata
Assignee: Florian Best
QA Contact: Johannes Lohmer
URL: https://git.knut.univention.de/univen...
Keywords:
Depends on:
Blocks: 58126
  Show dependency treegraph
 
Reported: 2021-01-11 18:59 CET by Arvid Requate
Modified: 2025-04-02 14:09 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Customer ID:
Max CVSS v3 score:
requate: Patch_Available+

Attachments
allow_maximum_password_length_256.patch (1.00 KB, patch)
2021-01-11 19:00 CET, Arvid Requate 		Details | Diff
Patch suggestion, including default password lenght (8.30 KB, patch)
2022-01-16 10:11 CET, Gino Harlos 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2021-01-11 18:59:29 CET 
Setting up a UCS system with a machine/password/length of 28 characters or more causes a core dump in univention.license, making the UMC modules unusable.

root@dc:/# python
Python 2.7.13 (default, Aug 22 2020, 10:03:02) 
[GCC 6.3.0 20170516] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import univention.license
>>> univention.license.select("admin")
03.12.20 13:36:47.487  DEBUG_INIT
03.12.20 13:36:47.517  LDAP        ( ERROR   ) : ldap_simple_bind: Invalid credentials
python: search.c:95: ldap_pvt_search: Assertion `ld != NULL' failed.
Aborted (core dumped)

In this case it was a primary/master and ldap.secret exceeded the hard coded limit of

#define _UNIVENTION_LDAP_SECRET_LEN_MAX 27

in univention-policy/lib/ldap.c.

It would be good to allow longer passwords for critical accounts.
Comment 1 Arvid Requate univentionstaff 2021-01-11 19:00:09 CET 
Created attachment 10589 [details]
allow_maximum_password_length_256.patch

Patch proposal
Comment 2 Philipp Hahn univentionstaff 2021-01-13 08:05:55 CET 
Windows uses 120 UTF-16 character = 240 bytes, so 256 is okay from that perspective.

Until Bug #31281 (UCS-3.2) it was limited to 8 characters, now it is:
base/univention-lib/shell/base.sh:
> create_machine_password () {
> 	local length compl
> 	length="$(/usr/sbin/univention-config-registry get machine/password/length)"
> 	compl="$(/usr/sbin/univention-config-registry get machine/password/complexity)"
> 	pwgen -1 -"${compl:-scn}" "${length:-20}" | tr -d '\n'
> }

`-s` = `--secure` → for machine usage
`-c` = `--capitalize` → at least on capital letter
`-n` = `--numerals` → also digits

(2*26+10)^20 = 704.423.425.546.998.022.968.330.264.616.370.176 =~ 7e35
is still enough for y2021.
Comment 3 Gino Harlos 2022-01-16 10:11:17 CET 
Created attachment 10905 [details]
Patch suggestion, including default password lenght

I think it's time to increase the default password length to 32 or even 64. We have arrived in 2022 and as quickly as a new container comes, it also goes, or is simply forgotten.
I hope that I found all digits of the default password length.

Could also be something for the UCS security guide? ( https://forge.univention.org/bugzilla/show_bug.cgi?id=37877 )
Comment 4 Florian Best univentionstaff 2025-03-28 07:39:49 CET 
(In reply to Gino Harlos from comment #3)
Thank you for you patch. I created Bug #58126 for this, so that in this bug we just fix the possibility to support larger password.
Comment 5 Florian Best univentionstaff 2025-03-28 08:32:08 CET 
The password maximum length has been set to 256.

univention-policy.yaml
5f3c22497d64 | feat(policy): allow machine password length of 256 characters

univention-policy (13.0.7)
5f3c22497d64 | feat(policy): allow machine password length of 256 characters

univention-licence.yaml
66defa1a0022 | feat(license): allow machine password length of 256 characters

univention-licence (13.0.3)
66defa1a0022 | feat(license): allow machine password length of 256 characters
Comment 6 Johannes Lohmer univentionstaff 2025-03-28 09:34:35 CET 
errata-yaml ok
code-review ok
log messages ok
packagebuild ok
problem reproduced ok
fix reproduced ok