Ubuntu
pam package

  1. Bug #1822736
  2. Comment #0

Comment 0 for bug 1822736

Revision history for this message
Tom Reynolds (tomreyn) wrote :

DISCUSSION

When a password longer than 255 characters is set for any user account, this user will become unable to authenticate when running 'sudo' or 'passwd'.

IMPACT

Tagged 'security' since these utilities then deny service to this user.

REPRODUCTION

# Add user 'test' with password 'testtest'
sudo adduser --gecos '' test

# Add user 'test' to the 'sudo' group
sudo adduser test sudo

# Become user 'test'
sudo -iu test

# Verify user 'test' can run commands via sudo
sudo whoami

# Change password of 'test' to this 255 character long password: 123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345
passwd

# Verify user 'test' can run commands via sudo with the new password set
sudo -k
sudo whoami # should report "root"

# Change password of 'test' to 'testtest':
passwd

# Verify user 'test' can run commands via sudo with the new password set
sudo -k
sudo whoami # should report "root"

# Change password of 'test' to this 256 character long password: 1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456
passwd

# Verify user 'test' can run commands via sudo with the new password set
sudo -k
sudo whoami # should report "root"

# This authentication fails, as sudo does not accept the 256 character password.
# Attempting to change this password to a different value also fails:
passwd

# Effectively, user 'test' is now unable to use sudo, or to change their password.

# The 'login' command, run by root, does, however, still enable user 'test' to login using the newly set 256 character password.
# At the same time, a different restricted user who is a member of the 'sudo' group can still set a new password for 'test' (after authenticating to sudo with their own password) by supplying the current 256 character password using:
sudo -u test passwd

# Finally, to clean up
sudo deluser --remove-home test

ADDITIONAL OBSERVATIONS

* A root-initiated 'login' command still allows this user to authenticate.
* A different restricted user who is a member of the 'sudo' group can still set a new password for for this users' account (after authenticating to sudo with their own password) by supplying the >=256 character password

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: libpam0g 1.1.8-3.6ubuntu2.18.04.1
ProcVersionSignature: Ubuntu 4.18.0-16.17~18.04.1-generic 4.18.20
Uname: Linux 4.18.0-16-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Tue Apr 2 09:39:39 2019
SourcePackage: pam
UpgradeStatus: No upgrade log present (probably fresh install)