Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross
It is yet unclear what the root cause of this issue is - libpam, crypt,
passwd and sudo seem like primary suspects. The 256 character password
is hashed to a value which still allows a TTY login to succeed. Also,
passwd run by a different user in the context of the affected user
(using sudo) still
Booted up a Ubuntu 14.04 LTS box & followed test procedure.
Same result - steps followed fine until I once 256 char password was
entered, I was unable to `sudo whoami` (password was not accepted)
OS: Ubuntu 14.04.6 LTS x86_64
Host: HP Compaq dc7700 Small Form Factor
Kernel: 3.13.0-168-generic
I followed Tom's REPRODUCTION test, and got exactly what Tom said I would.
I can confirm the issue with 256 character passwords.
(I used `wc` to count characters in my buffer)
I could set the 256 character password (I used it with a backspace to
enter the old password, so it was only 1
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: pam (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1822736
Title:
Passwords longer than 255 characters break
6 matches
Mail list logo
