[Dovecot] Auth worker max line size
Hello I have been playing with some exotic authentication scheme with Dovecot and PAM. That involves sending really large base64 encoded data as the IMAP password, and I have hit a line limit in Dovecot, with AUTH_WORKER_MAX_LINE_LENGTH set to 1024. This limit is especially frustrating since other parts of the software use much larger limits: MAX_INBUF_SIZE 4096 MAX_IMAP_LINE 8192 AUTH_CLIENT_MAX_LINE_LENGTH 8192 I had to make the patch attached below to get my authentication working. I can live with this local patch, but given the much more liberal limits of MAX_INBUF_SIZE at 4096 makes we wonder if this 1024 limit on AUTH_WORKER_MAX_LINE_LENGTH could not be a bug. Or is there a security concern at using more than 1kB? Opinions? (please Cc: me, I'm not subscribed ot the list) --- src/auth/auth-worker-client.h.orig 2009-06-23 18:32:15.000000000 +0200 +++ src/auth/auth-worker-client.h 2009-06-23 18:32:33.000000000 +0200 @@ -1,8 +1,8 @@ #ifndef AUTH_WORKER_CLIENT_H #define AUTH_WORKER_CLIENT_H -#define AUTH_WORKER_MAX_LINE_LENGTH 1024 +#define AUTH_WORKER_MAX_LINE_LENGTH 4096 struct auth_worker_client *auth_worker_client_create(struct auth *auth, int fd); void auth_worker_client_destroy(struct auth_worker_client **client); void auth_worker_client_unref(struct auth_worker_client **client); -- Emmanuel Dreyfus manu@netbsd.org
On Wed, 2009-06-24 at 14:45 +0000, Emmanuel Dreyfus wrote:
I have been playing with some exotic authentication scheme with Dovecot and PAM. That involves sending really large base64 encoded data as the IMAP password, and I have hit a line limit in Dovecot, with AUTH_WORKER_MAX_LINE_LENGTH set to 1024. .. I had to make the patch attached below to get my authentication working. I can live with this local patch, but given the much more liberal limits of MAX_INBUF_SIZE at 4096 makes we wonder if this 1024 limit on AUTH_WORKER_MAX_LINE_LENGTH could not be a bug. Or is there a security concern at using more than 1kB?
There's no real reason to keep it at 1 kB. I probably didn't even think about it much when I added it. I increased it to 8192 now.
Hi 38 month ago, I submitted a patch to increase AUTH_WORKER_MAX_LINE_LENGTH to use exotic authentication scheme (see message below). The patch was accepted, but now I upgrade to dovecot 2.1.7, I face the same problem with MASTER_AUTH_MAX_DATA_SIZE. I had to increase it from 1024 to 4096. Is it safe to do so? Would such a change be accepted upstream? The patch is below. (please Cc: me, I'm not subscribed ot the list) --- src/lib-master/master-auth.h.orig +++ src/lib-master/master-auth.h @@ -13,9 +13,9 @@ /* Authentication client process's cookie size */ #define MASTER_AUTH_COOKIE_SIZE (128/8) /* LOGIN_MAX_INBUF_SIZE should be based on this.*/ -#define MASTER_AUTH_MAX_DATA_SIZE 1024 +#define MASTER_AUTH_MAX_DATA_SIZE 4096 #define MASTER_AUTH_ERRMSG_INTERNAL_FAILURE \ "Internal error occurred. Refer to server log for more information." Emmanuel Dreyfus <manu@netbsd.org> wrote:
Hello
I have been playing with some exotic authentication scheme with Dovecot and PAM. That involves sending really large base64 encoded data as the IMAP password, and I have hit a line limit in Dovecot, with AUTH_WORKER_MAX_LINE_LENGTH set to 1024.
This limit is especially frustrating since other parts of the software use much larger limits: MAX_INBUF_SIZE 4096 MAX_IMAP_LINE 8192 AUTH_CLIENT_MAX_LINE_LENGTH 8192
I had to make the patch attached below to get my authentication working. I can live with this local patch, but given the much more liberal limits of MAX_INBUF_SIZE at 4096 makes we wonder if this 1024 limit on AUTH_WORKER_MAX_LINE_LENGTH could not be a bug. Or is there a security concern at using more than 1kB?
Opinions? (please Cc: me, I'm not subscribed ot the list)
--- src/auth/auth-worker-client.h.orig 2009-06-23 18:32:15.000000000 +0200 +++ src/auth/auth-worker-client.h 2009-06-23 18:32:33.000000000 +0200 @@ -1,8 +1,8 @@ #ifndef AUTH_WORKER_CLIENT_H #define AUTH_WORKER_CLIENT_H
-#define AUTH_WORKER_MAX_LINE_LENGTH 1024 +#define AUTH_WORKER_MAX_LINE_LENGTH 4096
struct auth_worker_client *auth_worker_client_create(struct auth *auth, int fd); void auth_worker_client_destroy(struct auth_worker_client **client); void auth_worker_client_unref(struct auth_worker_client **client);
-- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@netbsd.org
On 16.8.2012, at 4.07, Emmanuel Dreyfus wrote:
38 month ago, I submitted a patch to increase AUTH_WORKER_MAX_LINE_LENGTH to use exotic authentication scheme (see message below). The patch was accepted, but now I upgrade to dovecot 2.1.7, I face the same problem with MASTER_AUTH_MAX_DATA_SIZE. I had to increase it from 1024 to 4096.
Is it safe to do so? Would such a change be accepted upstream? The patch is below.
Couldn't you change the client to use AUTHENTICATE PLAIN command instead? The buffer wouldn't be a problem then..
Timo Sirainen <tss@iki.fi> wrote:
Couldn't you change the client to use AUTHENTICATE PLAIN command instead? The buffer wouldn't be a problem then..
Sorry for the delay, I missed the reply. That is not an option, as the client is not SASL capable. --- src/lib-master/master-auth.h.orig +++ src/lib-master/master-auth.h @@ -13,9 +13,9 @@ /* Authentication client process's cookie size */ #define MASTER_AUTH_COOKIE_SIZE (128/8) /* LOGIN_MAX_INBUF_SIZE should be based on this.*/ -#define MASTER_AUTH_MAX_DATA_SIZE 1024 +#define MASTER_AUTH_MAX_DATA_SIZE 4096 #define MASTER_AUTH_ERRMSG_INTERNAL_FAILURE \ "Internal error occurred. Refer to server log for more information." -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@netbsd.org
participants (3)
-
Emmanuel Dreyfus
-
manu@netbsd.org
-
Timo Sirainen