1463673 – radiusd silently truncates the Tunnel-password attribute in its length is over 249 characters

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1463673 - radiusd silently truncates the Tunnel-password attribute in its length is over 249 characters

Summary: radiusd silently truncates the Tunnel-password attribute in its length is ove...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	freeradius
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Alex Scheel
QA Contact:	Filip Dvorak
Docs Contact:	Florian Delehaye
URL:
Whiteboard:
Depends On:
Blocks:	1723362
TreeView+	depends on / blocked

Reported:	2017-06-21 13:01 UTC by Patrik Kis
Modified:	2020-03-12 13:41 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	.FreeRADIUS silently truncates Tunnel-Passwords longer than 249 characters If a Tunnel-Password is longer than 249 characters, the FreeRADIUS service silently truncates it. This may lead to unexpected password incompatibilities with other systems. To work around the problem, choose a password that is 249 characters or fewer.
Clone Of:
Clones:	1470801 1723362 (view as bug list)
Environment:
Last Closed:	2019-11-22 15:04:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Patrik Kis 2017-06-21 13:01:09 UTC

Description of problem:
The maximum length of Tunnel-password attribute seems to the 249 characters according the specifications (the is one octet to store the value + there are some other octets used for header). If longer password is set, radiusd accepts it (do not report error and starts), but then the length is truncated to usable value.
That is not intuitive and may confuse users. If the length is over 1022 characters the radiusd simply do not start end report error. IMO, it should be the same for lengths which can not be sent over the protocol (i.e. 250 and more)

Version-Release number of selected component (if applicable):
freeradius-3.0.13-5.el7

How reproducible:
always

Steps to Reproduce:
1. Set up a test user with Tunnel-password (length 250 characters), eg:
testuser250 Cleartext-Password := passme
    Tunnel-Password = PjHzPhdzLzhZELZG7oD5LPW9vpkN0Q3L7n11wrsao1wmsKRrSkeGGxYiP8wJTfNjKAE4pNE1cdmdu574XmtkCHOPQBGDXeYc04iqWa6fqZVyzHaQIQKuBHFz19T2PgOGKWiV2qRtmdar9ReRH72HDvfJQPBBgXIe7ic956pOL539GpsYIdrpikaZ2UEiVZBcgblMbEp8Brmd4m9e0rFbkkAXLHfu736URPnaaL77CKc1GRgsrSV5nTVPfy

2. Run the server
3. Test with radtest:

# radtest testuser250 passme localhost 0 testing123
Sent Access-Request Id 223 from 0.0.0.0:41687 to 127.0.0.1:1812 length 92
	User-Name = "testuser250"
	User-Password = "passme"
	NAS-IP-Address = 192.168.100.70
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "passme"
Received Access-Accept Id 223 from 127.0.0.1:1812 to 0.0.0.0:0 length 275
	Tunnel-Password:0 = "PjHzPhdzLzhZELZG7oD5LPW9vpkN0Q3L7n11wrsao1wmsKRrSkeGGxYiP8wJTfNjKAE4pNE1cdmdu574XmtkCHOPQBGDXeYc04iqWa6fqZVyzHaQIQKuBHFz19T2PgOGKWiV2qRtmdar9ReRH72HDvfJQPBBgXIe7ic956pOL539GpsYIdrpikaZ2UEiVZBcgblMbEp8Brmd4m9e0rFbkkAXLHfu736URPnaaL77CKc1GRgsrSV5nTVPf"

^^^ Note the missing 'y' at the end of Tunnel-password attribute.

Comment 1 Alex Scheel 2019-05-02 14:37:12 UTC

Patrik / Filip,

Do either of you know if this is fixed on the RHEL 8 builds? I swear I've seen something related to this upstream, but I'm not sure if it is fixed in 3.0.17 or something newer (definitely would be in 3.0.19 **if** my memory was correct). 


IIRC, this is a limitation in the RFC.

Comment 2 Patrik Kis 2019-05-03 11:23:46 UTC

(In reply to Alex Scheel from comment #1)
> Patrik / Filip,
> 
> Do either of you know if this is fixed on the RHEL 8 builds?

It does not seem to be the case.
My test is failing in the same way as it fails with the RHEL 7 build, for which the issue was reported
 
> 
> IIRC, this is a limitation in the RFC.

I did not check the RFC, but the reported problem here is not that it does not support long passwords. The problem is that it does not detects and reports the limitation with the password length.

Note You need to log in before you can comment on or make changes to this bug.