dbf5df4 CVE-2020-1722: prevent use of too long passwords

Authored and Committed by abbra 2 years ago
    CVE-2020-1722: prevent use of too long passwords
    
    NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:
    
    https://pages.nist.gov/800-63-3/sp800-63b.html#appA
    
    	Users should be encouraged to make their passwords as lengthy as they
    	want, within reason. Since the size of a hashed password is independent
    	of its length, there is no reason not to permit the use of lengthy
    	passwords (or pass phrases) if the user wishes. Extremely long passwords
    	(perhaps megabytes in length) could conceivably require excessive
    	processing time to hash, so it is reasonable to have some limit.
    
    FreeIPA already applied 256 characters limit for non-random passwords
    set through ipa-getkeytab tool. The limit was not, however, enforced in
    other places.
    
    MIT Kerberos limits the length of the password to 1024 characters in its
    tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
    differentiate between a password larger than 1024 and a password of 1024
    characters. As a result, longer passwords are silently cut off.
    
    To prevent silent cut off for user passwords, use limit of 1000
    characters.
    
    Thus, this patch enforces common limit of 1000 characters everywhere:
     - LDAP-based password changes
       - LDAP password change control
       - LDAP ADD and MOD operations on clear-text userPassword
       - Keytab setting with ipa-getkeytab
     - Kerberos password setting and changing
    
    Fixes: https://pagure.io/freeipa/issue/8268
    
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-by: Simo Sorce <ssorce@redhat.com>
    Reviewed-By: Simo Sorce <ssorce@redhat.com>
    
        
file modified
+16 -3
file modified
+1 -1
file modified
+18 -0
file modified
+3 -0