Bug#899254: mkpasswd(1) truncates passwords to 127 characters

[Aaron Toponce]

Package: whois
Version: 5.3.0

The mkpasswd(1) binary is truncating passwords longer than 127-characters:

    Unique password string for 126 characters:

        $ printf 'a%.0s' {1..126} | mkpasswd -m SHA-512 -S '........' -s
        
$6$........$W.thEL8diDVRFeHWlFLX3uJQViSwuCRjGgQNzFHsGNmaRKC2opCC5Kn075sSXTyzjQu8KB36qYKzDuokqspu91

    Same password string for both 127 and 128 characters:

        $ printf 'a%.0s' {1..127} | mkpasswd -m SHA-512 -S '........' -s
        
$6$........$ohe17aZZw6Y3jUoSMm3bz3npIzYz2TBeXUPuvxc2LpQ.ARle/n5CF3.9yLYUPmGuLHGbc1jJKz3J/nJ5B5/yb1
        $ printf 'a%.0s' {1..128} | mkpasswd -m SHA-512 -S '........' -s
        
$6$........$ohe17aZZw6Y3jUoSMm3bz3npIzYz2TBeXUPuvxc2LpQ.ARle/n5CF3.9yLYUPmGuLHGbc1jJKz3J/nJ5B5/yb1

This behavior does not match passwd(1) behavior when updating passwords in the
shadow(5) file. In this first example, a 127-character "a" string is printed,
and copy/pasted to passwd(1) for a "testing" user. The password generated by
passwd(1), which is believe is calling crypt(3), matches the password generated
with mkpasswd(1), which is also calling crypt(3), when using the same salt:

    # printf 'a%.0s' {1..127}; echo
    
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    # passwd testing
    Enter new UNIX password: (copy/paste from above)
    Retype new UNIX password: 
    passwd: password updated successfully
    # grep testing /etc/shadow
    
testing:$6$rounds=50000$3ideW/N8$6fTBlETOHVxEaxkQ/bAzuV2zd006reQXl..swD4VOevqM6scHykTuGKEU0AH06fz.56czYRYn37zoBDoy2WTx0:17672:0:99999:7:::
    # printf 'a%.0s' {1..127} | mkpasswd -R 50000 -S '3ideW/N8' -m SHA-512 -s
    
$6$rounds=50000$3ideW/N8$6fTBlETOHVxEaxkQ/bAzuV2zd006reQXl..swD4VOevqM6scHykTuGKEU0AH06fz.56czYRYn37zoBDoy2WTx0

In this second example, a 128-character "a" string is printed, and copy/pasted
to passwd(1), for the "testing" user, just as in the first example. However,
the password generated by mkpasswd(1) does not match, when using the same salt:

    # printf 'a%.0s' {1..128}; echo
    
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    # passwd testing
    Enter new UNIX password: (copy/paste from above)
    Retype new UNIX password: 
    passwd: password updated successfully
    # grep testing /etc/shadow
    
testing:$6$rounds=50000$qkMTUfnR$iZi0HouwMMgCPDLkrMTWbLAP7rxFvlQJrVhWWoTD6yyfG9prX2xQHkfqW4rB17hRwV5BMnugV8H9osy3cXbKo1:17672:0:99999:7:::
    # printf 'a%.0s' {1..128} | mkpasswd -R 50000 -S 'qkMTUfnR' -m SHA-512 -s
    
$6$rounds=50000$qkMTUfnR$ViyQ1KWaHVjBWxJbQikeSZfbp1MXyfRn2.KbTnMqcI7I/gqKmVXPW64rK/qz18LAtL5QjHoOn2CBhbWrZ/jRe.

This seems to be a bug with mkpasswd(1), by truncating passwords at 127
characters.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o

signature.asc
Description: PGP signature