Bug 233478

Summary: Authentication fails if password > 128 characters
Product: Base System Reporter: ASV <asv>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: New ---    
Severity: Affects Many People Keywords: regression, security
Priority: ---    
Version: 11.2-RELEASE   
Hardware: Any   
OS: Any   

Description ASV 2018-11-24 19:37:06 UTC
After upgrading from 11.1 RELEASE to 11.2 RELEASE through freebsd-update I've been locked out from my remote server after the reboot.
Further investigation and testing on another FreeBSD 11.2 RELEASE (upgraded through build world instead and perfectly working) confirmed that I was locked out because the previous passwords were larger than 128 characters.

Both systems are set "passwd_format=sha512" through login.conf (which I believe is the default value nowadays).
This issue is something new, was never there and actually forced me to login and fix it modifying the passwords while in single user mode with something shorter.
Comment 1 ASV 2018-11-24 19:54:24 UTC
By the way, you're allowed to set passwords as long as you like but PAM will fail to authenticate. If there's a reason why this is happening (why?!), so if it's not a bug, I believe a check should be introduced to forbid the setting of passwords with length > 128 characters.