Bug 1470801 - radiusd silently truncates the Tunnel-password attribute in its length is over 249 characters
radiusd silently truncates the Tunnel-password attribute in its length is ove...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: freeradius (Show other bugs)
6.10
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Nikolai Kondrashov
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-13 13:28 EDT by Patrik Kis
Modified: 2017-12-06 05:20 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1463673
Environment:
Last Closed: 2017-12-06 05:20:14 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Patrik Kis 2017-07-13 13:28:58 EDT
The bug also exists on RHEL-6. If there will be also other fixes, it's maybe worth to fix this one as well.

+++ This bug was initially created as a clone of Bug #1463673 +++

Description of problem:
The maximum length of Tunnel-password attribute seems to the 249 characters according the specifications (the is one octet to store the value + there are some other octets used for header). If longer password is set, radiusd accepts it (do not report error and starts), but then the length is truncated to usable value.
That is not intuitive and may confuse users. If the length is over 1022 characters the radiusd simply do not start end report error. IMO, it should be the same for lengths which can not be sent over the protocol (i.e. 250 and more)

Version-Release number of selected component (if applicable):
freeradius-3.0.13-5.el7

How reproducible:
always

Steps to Reproduce:
1. Set up a test user with Tunnel-password (length 250 characters), eg:
testuser250 Cleartext-Password := passme
    Tunnel-Password = PjHzPhdzLzhZELZG7oD5LPW9vpkN0Q3L7n11wrsao1wmsKRrSkeGGxYiP8wJTfNjKAE4pNE1cdmdu574XmtkCHOPQBGDXeYc04iqWa6fqZVyzHaQIQKuBHFz19T2PgOGKWiV2qRtmdar9ReRH72HDvfJQPBBgXIe7ic956pOL539GpsYIdrpikaZ2UEiVZBcgblMbEp8Brmd4m9e0rFbkkAXLHfu736URPnaaL77CKc1GRgsrSV5nTVPfy

2. Run the server
3. Test with radtest:

# radtest testuser250 passme localhost 0 testing123
Sent Access-Request Id 223 from 0.0.0.0:41687 to 127.0.0.1:1812 length 92
	User-Name = "testuser250@redhat.com"
	User-Password = "passme"
	NAS-IP-Address = 192.168.100.70
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "passme"
Received Access-Accept Id 223 from 127.0.0.1:1812 to 0.0.0.0:0 length 275
	Tunnel-Password:0 = "PjHzPhdzLzhZELZG7oD5LPW9vpkN0Q3L7n11wrsao1wmsKRrSkeGGxYiP8wJTfNjKAE4pNE1cdmdu574XmtkCHOPQBGDXeYc04iqWa6fqZVyzHaQIQKuBHFz19T2PgOGKWiV2qRtmdar9ReRH72HDvfJQPBBgXIe7ic956pOL539GpsYIdrpikaZ2UEiVZBcgblMbEp8Brmd4m9e0rFbkkAXLHfu736URPnaaL77CKc1GRgsrSV5nTVPf"

^^^ Note the missing 'y' at the end of Tunnel-password attribute.
Comment 1 Jan Kurik 2017-12-06 05:20:14 EST
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/

Note You need to log in before you can comment on or make changes to this bug.