Univention Bugzilla – Bug 52575
machine/password/length of 28 or larger causes core dump in univention.license
Last modified: 2022-01-16 10:11:17 CET
Setting up a UCS system with a machine/password/length of 28 characters or more causes a core dump in univention.license, making the UMC modules unusable. root@dc:/# python Python 2.7.13 (default, Aug 22 2020, 10:03:02) [GCC 6.3.0 20170516] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import univention.license >>> univention.license.select("admin") 03.12.20 13:36:47.487 DEBUG_INIT 03.12.20 13:36:47.517 LDAP ( ERROR ) : ldap_simple_bind: Invalid credentials python: search.c:95: ldap_pvt_search: Assertion `ld != NULL' failed. Aborted (core dumped) In this case it was a primary/master and ldap.secret exceeded the hard coded limit of #define _UNIVENTION_LDAP_SECRET_LEN_MAX 27 in univention-policy/lib/ldap.c. It would be good to allow longer passwords for critical accounts.
Created attachment 10589 [details] allow_maximum_password_length_256.patch Patch proposal
Windows uses 120 UTF-16 character = 240 bytes, so 256 is okay from that perspective. Until Bug #31281 (UCS-3.2) it was limited to 8 characters, now it is: base/univention-lib/shell/base.sh: > create_machine_password () { > local length compl > length="$(/usr/sbin/univention-config-registry get machine/password/length)" > compl="$(/usr/sbin/univention-config-registry get machine/password/complexity)" > pwgen -1 -"${compl:-scn}" "${length:-20}" | tr -d '\n' > } `-s` = `--secure` → for machine usage `-c` = `--capitalize` → at least on capital letter `-n` = `--numerals` → also digits (2*26+10)^20 = 704.423.425.546.998.022.968.330.264.616.370.176 =~ 7e35 is still enough for y2021.
Created attachment 10905 [details] Patch suggestion, including default password lenght I think it's time to increase the default password length to 32 or even 64. We have arrived in 2022 and as quickly as a new container comes, it also goes, or is simply forgotten. I hope that I found all digits of the default password length. Could also be something for the UCS security guide? ( https://forge.univention.org/bugzilla/show_bug.cgi?id=37877 )