vsftpd max username length too small
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vsftpd (Debian) |
Fix Released
|
Unknown
|
|||
vsftpd (Ubuntu) |
Fix Released
|
Medium
|
Adrien Cunin | ||
Hardy |
Won't Fix
|
Low
|
Unassigned |
Bug Description
vsftpd has a max username length of 32, this is too small for a virtual hosting environment where the username is a user's e-mail address (if they have a long domain name etc...)
This issue was patched in FC10 via their patch system and has been pulled into the new upstream 2.1 version, I'll attach a debdiff to this bug once it's created so I know the bug number.
SRU Report (for Hardy)
-------
This bug's impact is (probably) mostly felt by users running Hardy as a hosting server using vsftpd as their FTP server. Hosting servers typically use either the domain name and/or e-mail address as the username which can easily exceed the 32 character limit.
This has been fixed in the current development version (Karmic - 2.1.1~pre1-
TEST CASE: This bug can be reproduced by creating a username greater than 32 characters then attempting to login with the unpatched vsftpd. Upon upgrading to the patched vsftpd this login attempt should then succeed.
Looking at the patch regression seems unlikely (given the nature of the change), however, the worst case outcomes I can see for regression are:-
a) vsftpd stops working; or
b) An (unknown) underlying authentication mechanism requires vsftpd to reject usernames greater than 32 characters and hence breaks.
I'm afraid I'm not sure how likely (b) is, however PAM can handle usernames of such length.
Related branches
Changed in vsftpd (Ubuntu): | |
importance: | Undecided → Medium |
status: | Confirmed → Triaged |
Changed in vsftpd (Ubuntu): | |
assignee: | nobody → Adrien Cunin (adri2000) |
status: | Triaged → In Progress |
description: | updated |
Changed in vsftpd (Ubuntu Hardy): | |
assignee: | nobody → Thierry Carrez (ttx) |
importance: | Undecided → Low |
status: | New → In Progress |
Changed in vsftpd (Debian): | |
status: | Unknown → Fix Released |
Debdiff for jaunty which reflects the FC10 patch which has been incorporated upstream in version 2.1