Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/787?usp=email )
Change subject: Refuse clients if username or password is > USER_PASS_LEN ...................................................................... Patch Set 1: Code-Review-2 (1 comment) Patchset: PS1: This is not working right for me. I have a client, built with PKCS11 support, that sends a 230 byte username and a short passwort (11 characters). On the server side (not built with PKCS11, verified by printing out USER_PASS_LEN at startup), this is using plugin-auth-pam, and it seems to happily pass things onward, in confusing ways ``` 2024-10-26 11:10:24 USER_PASS_LEN=128 ... Oct 26 11:06:47 gentoo tun-udp-p2mp-global-authpam[1709]: 194.97.140.21:50280 TLS INFO: Username (128) or password (103) long Oct 26 11:06:47 gentoo tun-udp-p2mp-global-authpam[1709]: PLUGIN AUTH-PAM: deferred authentication Oct 26 11:06:47 gentoo tun-udp-p2mp-global-authpam[1709]: 194.97.140.21:50280 TLS: Username/Password authentication deferred for username 'ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsT' ``` so it's not overrunning the buffer, and not getting confused anymore, but it *is* truncating the username to 128 bytes and using "the rest" for the password (103 = (230-128). Turning on password logging in plugin-auth-pam confirms: ``` Oct 26 11:06:47 gentoo openvpn[1711]: PLUGIN AUTH-PAM: BACKGROUND: USER/PASS: ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsT/ooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_ThisUserNameIsTooLongReally_230ch ``` (the password the client sends is `totallysecret`, and the client username ends in `_230ch`) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/787?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I60f02c919767eb8f1b95253689a8233f5f68621d Gerrit-Change-Number: 787 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arne-open...@rfc2549.org> Gerrit-Reviewer: cron2 <g...@greenie.muc.de> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-Attention: plaisthos <arne-open...@rfc2549.org> Gerrit-Attention: flichtenheld <fr...@lichtenheld.com> Gerrit-Comment-Date: Sat, 26 Oct 2024 09:16:15 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
