Description of problem: Boot in some level, for example 3, and goto to some console. Enter about 100 (same) chars for the username (I did not check with fewer). After having pressed "enter", no password is requested, but after some secs, the system presents again the login dialog on that console (as there would be a wrong passwd). The usage of the "login" command shows a different (correct) effect: The password is each time requested, independent from the length of the username. Version-Release number of selected component (if applicable): upstart-sysvinit-0.6.5-9.fc14.i686 How reproducible: always Steps to Reproduce: 1.Goto some console window 2.Enter 100 "m" chars for the username 3.press enter Actual results: no password is prompted for, but a new userid Expected results: System requests password Additional info: Different behaviour of the "login" command
(1) Mingetty limits login name to 39 characters. If user supplies longer one, error is reported to syslog, no error message is printed on TTY (security concerns), and mingetty terminates after 5 seconds. If you think user should be informed about exceeding length, we can start to talk about modifying current code. (2) From point of view of mingetty, long login name is fatal internal error, thus it cannot continue by executing login (the name would be clamped and user mislead thinking PAM got full login string). Fatal errors cannot be overcome, this is a feature making your bug report invalid.
(In reply to comment #1) > (1) Mingetty limits login name to 39 characters. If user supplies longer one, > error is reported to syslog, no error message is printed on TTY (security > concerns), and mingetty terminates after 5 seconds. > > If you think user should be informed about exceeding length, we can start to > talk about modifying current code. No need for this. But is that limit (39 chars) described anywhere? neither "man mingetty" says anything about that limit, nor "/etc/init/start-ttys.conf". > > (2) From point of view of mingetty, long login name is fatal internal error, > thus it cannot continue by executing login (the name would be clamped and user > mislead thinking PAM got full login string). Cutting the name so only the first 39 chars are used could be an option. > > Fatal errors cannot be overcome, this is a feature making your bug report > invalid.
The limit is not documented (there are similar limitations to TTY name etc.). Cutting login name is bad idea as login(1) would get different data than user supplied. I'm strongly against silent mangling.
POSIX mandates 9 bytes minimal length including trailing '\0' (limits.h:_POSIX_LOGIN_NAME_MAX). Current GNU/Linux run time limit is 256 (getconf LOGIN_NAME_MAX). I will prepare patch to fulfill the run time limit.
mingetty-1.08-6.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/mingetty-1.08-6.fc14
mingetty-1.08-6.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/mingetty-1.08-6.fc13
mingetty-1.08-6.fc12 has been submitted as an update for Fedora 12. https://admin.fedoraproject.org/updates/mingetty-1.08-6.fc12
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
mingetty-1.08-6.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update mingetty'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/mingetty-1.08-6.fc12
mingetty-1.08-6.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
mingetty-1.08-6.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
mingetty-1.08-6.fc14 runs as expected. Thank you.