Hello I have been playing with some exotic authentication scheme with Dovecot and PAM. That involves sending really large base64 encoded data as the IMAP password, and I have hit a line limit in Dovecot, with AUTH_WORKER_MAX_LINE_LENGTH set to 1024. This limit is especially frustrating since other parts of the software use much larger limits: MAX_INBUF_SIZE 4096 MAX_IMAP_LINE 8192 AUTH_CLIENT_MAX_LINE_LENGTH 8192 I had to make the patch attached below to get my authentication working. I can live with this local patch, but given the much more liberal limits of MAX_INBUF_SIZE at 4096 makes we wonder if this 1024 limit on AUTH_WORKER_MAX_LINE_LENGTH could not be a bug. Or is there a security concern at using more than 1kB? Opinions? (please Cc: me, I'm not subscribed ot the list) --- src/auth/auth-worker-client.h.orig 2009-06-23 18:32:15.000000000 +0200 +++ src/auth/auth-worker-client.h 2009-06-23 18:32:33.000000000 +0200 @@ -1,8 +1,8 @@ #ifndef AUTH_WORKER_CLIENT_H #define AUTH_WORKER_CLIENT_H -#define AUTH_WORKER_MAX_LINE_LENGTH 1024 +#define AUTH_WORKER_MAX_LINE_LENGTH 4096 struct auth_worker_client *auth_worker_client_create(struct auth *auth, int fd); void auth_worker_client_destroy(struct auth_worker_client **client); void auth_worker_client_unref(struct auth_worker_client **client); -- Emmanuel Dreyfus manu at netbsd.org
On Wed, 2009-06-24 at 14:45 +0000, Emmanuel Dreyfus wrote:> I have been playing with some exotic authentication scheme with Dovecot > and PAM. That involves sending really large base64 encoded data as > the IMAP password, and I have hit a line limit in Dovecot, with > AUTH_WORKER_MAX_LINE_LENGTH set to 1024...> I had to make the patch attached below to get my authentication working. > I can live with this local patch, but given the much more liberal limits > of MAX_INBUF_SIZE at 4096 makes we wonder if this 1024 limit on > AUTH_WORKER_MAX_LINE_LENGTH could not be a bug. Or is there a security > concern at using more than 1kB?There's no real reason to keep it at 1 kB. I probably didn't even think about it much when I added it. I increased it to 8192 now. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20090624/4cc249c0/attachment-0002.bin>
On Wed, Jun 24, 2009 at 02:21:50PM -0400, Timo Sirainen wrote:> There's no real reason to keep it at 1 kB. I probably didn't even think > about it much when I added it. I increased it to 8192 now.Thanks a lot! -- Emmanuel Dreyfus manu at netbsd.org
Hi
38 month ago, I submitted a patch to increase
AUTH_WORKER_MAX_LINE_LENGTH to use exotic authentication scheme (see
message below). The patch was accepted, but now I upgrade to dovecot
2.1.7, I face the same problem with MASTER_AUTH_MAX_DATA_SIZE. I had to
increase it from 1024 to 4096.
Is it safe to do so? Would such a change be accepted upstream? The patch
is below.
(please Cc: me, I'm not subscribed ot the list)
--- src/lib-master/master-auth.h.orig
+++ src/lib-master/master-auth.h
@@ -13,9 +13,9 @@
/* Authentication client process's cookie size */
#define MASTER_AUTH_COOKIE_SIZE (128/8)
/* LOGIN_MAX_INBUF_SIZE should be based on this.*/
-#define MASTER_AUTH_MAX_DATA_SIZE 1024
+#define MASTER_AUTH_MAX_DATA_SIZE 4096
#define MASTER_AUTH_ERRMSG_INTERNAL_FAILURE \
"Internal error occurred. Refer to server log for more
information."
Emmanuel Dreyfus <manu at netbsd.org> wrote:
> Hello
>
> I have been playing with some exotic authentication scheme with Dovecot
> and PAM. That involves sending really large base64 encoded data as
> the IMAP password, and I have hit a line limit in Dovecot, with
> AUTH_WORKER_MAX_LINE_LENGTH set to 1024.
>
> This limit is especially frustrating since other parts of the software
> use much larger limits:
> MAX_INBUF_SIZE 4096
> MAX_IMAP_LINE 8192
> AUTH_CLIENT_MAX_LINE_LENGTH 8192
>
> I had to make the patch attached below to get my authentication working.
> I can live with this local patch, but given the much more liberal limits
> of MAX_INBUF_SIZE at 4096 makes we wonder if this 1024 limit on
> AUTH_WORKER_MAX_LINE_LENGTH could not be a bug. Or is there a security
> concern at using more than 1kB?
>
> Opinions? (please Cc: me, I'm not subscribed ot the list)
>
> --- src/auth/auth-worker-client.h.orig 2009-06-23 18:32:15.000000000 +0200
> +++ src/auth/auth-worker-client.h 2009-06-23 18:32:33.000000000 +0200
> @@ -1,8 +1,8 @@
> #ifndef AUTH_WORKER_CLIENT_H
> #define AUTH_WORKER_CLIENT_H
>
> -#define AUTH_WORKER_MAX_LINE_LENGTH 1024
> +#define AUTH_WORKER_MAX_LINE_LENGTH 4096
>
> struct auth_worker_client *auth_worker_client_create(struct auth *auth,
int fd);> void auth_worker_client_destroy(struct auth_worker_client **client);
> void auth_worker_client_unref(struct auth_worker_client **client);
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu at netbsd.org