It is yet unclear what the root cause of this issue is - libpam, crypt, passwd and sudo seem like primary suspects. The 256 character password is hashed to a value which still allows a TTY login to succeed. Also, passwd run by a different user in the context of the affected user (using sudo) still works. So apparently it only breaks for the logged-in user. This may help identify the root cause.
pam_unix(8) (on bionic) states: The maximum length of a password supported by the pam_unix module via the helper binary is PAM_MAX_RESP_SIZE - currently 512 bytes. The rest of the password provided by the conversation function to the module will be ignored. Regarding passwd, I was told this on IRC: passwd uses getpass() to read the password from the user, and testing just getpass() alone shows it will return up to 4095 bytes long (i.e. truncates at that length). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1822736 Title: Passwords longer than 255 characters break authentication Status in pam package in Ubuntu: Confirmed Bug description: DISCUSSION When a password longer than 255 characters is set for any user account, this user will become unable to authenticate when running 'sudo' or 'passwd'. IMPACT This affects 18.04.2 systems, whether they were installed using Desktop (ubiquity) or Server (subiquity) installers. It may also affect other releases - this is yet untested. Tagged 'security' since these utilities then deny service to this user. REPRODUCTION # Add user 'test' with password 'testtest' sudo adduser --gecos '' test # Add user 'test' to the 'sudo' group sudo adduser test sudo # Become user 'test' sudo -iu test # Verify user 'test' can run commands via sudo sudo whoami # Change password of 'test' to this 255 character long password: 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 passwd # Verify user 'test' can run commands via sudo with the new password set sudo -k sudo whoami # should report "root" # Change password of 'test' to 'testtest': passwd # Verify user 'test' can run commands via sudo with the new password set sudo -k sudo whoami # should report "root" # Change password of 'test' to this 256 character long password: 1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456 passwd # Verify user 'test' can run commands via sudo with the new password set sudo -k sudo whoami # should report "root" # This authentication fails, as sudo does not accept the 256 character password. # Attempting to change this password to a different value also fails: passwd # Effectively, user 'test' is now unable to use sudo, or to change their password. # The 'login' command, run by root, does, however, still enable user 'test' to login using the newly set 256 character password. # At the same time, a different restricted user who is a member of the 'sudo' group can still set a new password for 'test' (after authenticating to sudo with their own password) by supplying the current 256 character password using: sudo -u test passwd # Finally, to clean up sudo deluser --remove-home test ADDITIONAL OBSERVATIONS * A root-initiated 'login' command still allows this user to authenticate. * A different restricted user who is a member of the 'sudo' group can still set a new password for for this users' account (after authenticating to sudo with their own password) by supplying the >=256 character password CREDIT This was originally reported by 'Fieldy', I just reproduced it / filed this bug report. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: libpam0g 1.1.8-3.6ubuntu2.18.04.1 ProcVersionSignature: Ubuntu 4.18.0-16.17~18.04.1-generic 4.18.20 Uname: Linux 4.18.0-16-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.6 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Tue Apr 2 09:39:39 2019 SourcePackage: pam UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1822736/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
