233478 – Authentication fails if password > 128 characters

Bug 233478 - Authentication fails if password > 128 characters

Summary: Authentication fails if password > 128 characters

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	11.2-RELEASE
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:	regression, security

Depends on:
Blocks:

Reported:	2018-11-24 19:37 UTC by ASV
Modified:	2018-11-28 05:11 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ASV 2018-11-24 19:37:06 UTC

After upgrading from 11.1 RELEASE to 11.2 RELEASE through freebsd-update I've been locked out from my remote server after the reboot.
Further investigation and testing on another FreeBSD 11.2 RELEASE (upgraded through build world instead and perfectly working) confirmed that I was locked out because the previous passwords were larger than 128 characters.

Both systems are set "passwd_format=sha512" through login.conf (which I believe is the default value nowadays).
This issue is something new, was never there and actually forced me to login and fix it modifying the passwords while in single user mode with something shorter.

Comment 1 ASV 2018-11-24 19:54:24 UTC

By the way, you're allowed to set passwords as long as you like but PAM will fail to authenticate. If there's a reason why this is happening (why?!), so if it's not a bug, I believe a check should be introduced to forbid the setting of passwords with length > 128 characters.