dc4945
From a8611e205bfe7b7538523ec492069987f5d7de64 Mon Sep 17 00:00:00 2001
dc4945
From: Alexander Bokovoy <abokovoy@redhat.com>
dc4945
Date: Wed, 8 Apr 2020 15:00:38 +0300
dc4945
Subject: [PATCH] CVE-2020-1722: prevent use of too long passwords
dc4945
dc4945
NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:
dc4945
dc4945
https://pages.nist.gov/800-63-3/sp800-63b.html#appA
dc4945
dc4945
	Users should be encouraged to make their passwords as lengthy as they
dc4945
	want, within reason. Since the size of a hashed password is independent
dc4945
	of its length, there is no reason not to permit the use of lengthy
dc4945
	passwords (or pass phrases) if the user wishes. Extremely long passwords
dc4945
	(perhaps megabytes in length) could conceivably require excessive
dc4945
	processing time to hash, so it is reasonable to have some limit.
dc4945
dc4945
FreeIPA already applied 256 characters limit for non-random passwords
dc4945
set through ipa-getkeytab tool. The limit was not, however, enforced in
dc4945
other places.
dc4945
dc4945
MIT Kerberos limits the length of the password to 1024 characters in its
dc4945
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
dc4945
differentiate between a password larger than 1024 and a password of 1024
dc4945
characters. As a result, longer passwords are silently cut off.
dc4945
dc4945
To prevent silent cut off for user passwords, use limit of 1000
dc4945
characters.
dc4945
dc4945
Thus, this patch enforces common limit of 1000 characters everywhere:
dc4945
 - LDAP-based password changes
dc4945
   - LDAP password change control
dc4945
   - LDAP ADD and MOD operations on clear-text userPassword
dc4945
   - Keytab setting with ipa-getkeytab
dc4945
 - Kerberos password setting and changing
dc4945
dc4945
Fixes: https://pagure.io/freeipa/issue/8268
dc4945
dc4945
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
dc4945
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
dc4945
Reviewed-by: Simo Sorce <ssorce@redhat.com>
dc4945
Reviewed-By: Simo Sorce <ssorce@redhat.com>
dc4945
---
dc4945
 client/ipa-getkeytab.c                        | 19 ++++-
dc4945
 client/man/ipa-getkeytab.1                    |  2 +-
dc4945
 daemons/ipa-kdb/ipa_kdb_passwords.c           |  6 ++
dc4945
 .../ipa-slapi-plugins/ipa-pwd-extop/common.c  |  9 +++
dc4945
 .../ipa-pwd-extop/ipa_pwd_extop.c             | 13 +++
dc4945
 .../ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h  |  1 +
dc4945
 .../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 29 ++++++-
dc4945
 ipatests/test_integration/test_commands.py    | 79 +++++++++++++++++++
dc4945
 util/ipa_krb5.c                               | 18 +++++
dc4945
 util/ipa_krb5.h                               |  3 +
dc4945
 10 files changed, 171 insertions(+), 8 deletions(-)
dc4945
dc4945
diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
dc4945
index 8a5e98bed1947344247f9d6146e595d5f7f7a963..b174093d3762f8a6bfa27045bed393c2cd422fe0 100644
dc4945
--- a/client/ipa-getkeytab.c
dc4945
+++ b/client/ipa-getkeytab.c
dc4945
@@ -633,6 +633,11 @@ done:
dc4945
  * set match=true to enforce that the two entered passwords match.
dc4945
  *
dc4945
  * To prompt for an existing password provide prompt1 and set match=false.
dc4945
+ *
dc4945
+ * Implementation details:
dc4945
+ * krb5_prompter_posix() does not differentiate between too long entry or
dc4945
+ * an entry exactly the size of a buffer. Thus, allocate a bigger buffer
dc4945
+ * and do the check for a too long password afterwards.
dc4945
  */
dc4945
 static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2,
dc4945
                           bool match)
dc4945
@@ -640,8 +645,10 @@ static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2,
dc4945
     krb5_prompt ap_prompts[2];
dc4945
     krb5_data k5d_pw0;
dc4945
     krb5_data k5d_pw1;
dc4945
-    char pw0[256];
dc4945
-    char pw1[256];
dc4945
+#define MAX(a,b) (((a)>(b))?(a):(b))
dc4945
+#define PWD_BUFFER_SIZE MAX((IPAPWD_PASSWORD_MAX_LEN + 2), 1024)
dc4945
+    char pw0[PWD_BUFFER_SIZE];
dc4945
+    char pw1[PWD_BUFFER_SIZE];
dc4945
     char *password;
dc4945
     int num_prompts = match ? 2:1;
dc4945
 
dc4945
@@ -664,7 +671,12 @@ static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2,
dc4945
                 num_prompts, ap_prompts);
dc4945
 
dc4945
     if (match && (strcmp(pw0, pw1))) {
dc4945
-        fprintf(stderr, _("Passwords do not match!"));
dc4945
+        fprintf(stderr, _("Passwords do not match!\n"));
dc4945
+        return NULL;
dc4945
+    }
dc4945
+
dc4945
+    if (k5d_pw0.length > IPAPWD_PASSWORD_MAX_LEN) {
dc4945
+        fprintf(stderr, "%s\n", ipapwd_password_max_len_errmsg);
dc4945
         return NULL;
dc4945
     }
dc4945
 
dc4945
@@ -1017,6 +1029,7 @@ int main(int argc, const char *argv[])
dc4945
             }
dc4945
 
dc4945
             fprintf(stderr, _("Failed to create key material\n"));
dc4945
+            free_keys_contents(krbctx, &keys);
dc4945
             exit(8);
dc4945
         }
dc4945
 
dc4945
diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
dc4945
index 6e7fdf39ee4e28772365edafd4c7e86d0c37d343..21ba651c4ac78d09bc57d498b38591fdbfd1d151 100644
dc4945
--- a/client/man/ipa-getkeytab.1
dc4945
+++ b/client/man/ipa-getkeytab.1
dc4945
@@ -95,7 +95,7 @@ DES cbc mode with RSA\-MD5
dc4945
 DES cbc mode with RSA\-MD4
dc4945
 .TP
dc4945
 \fB\-P, \-\-password\fR
dc4945
-Use this password for the key instead of one randomly generated.
dc4945
+Use this password for the key instead of one randomly generated. The length of the password is limited by 1024 characters. Note that MIT Kerberos also limits passwords entered through kpasswd and kadmin commands to the same length.
dc4945
 .TP
dc4945
 \fB\-D, \-\-binddn\fR
dc4945
 The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR or \fB\-W\fR options.
dc4945
diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c
dc4945
index a3d4fe2436da60d081040754780d3e815acb1473..9362f4305d9973004a8c890540b5fa1622de772b 100644
dc4945
--- a/daemons/ipa-kdb/ipa_kdb_passwords.c
dc4945
+++ b/daemons/ipa-kdb/ipa_kdb_passwords.c
dc4945
@@ -80,6 +80,12 @@ static krb5_error_code ipadb_check_pw_policy(krb5_context context,
dc4945
         return EINVAL;
dc4945
     }
dc4945
 
dc4945
+    if (strlen(passwd) > IPAPWD_PASSWORD_MAX_LEN) {
dc4945
+        krb5_set_error_message(context, E2BIG, "%s",
dc4945
+                               ipapwd_password_max_len_errmsg);
dc4945
+        return E2BIG;
dc4945
+    }
dc4945
+
dc4945
     ied->passwd = strdup(passwd);
dc4945
     if (!ied->passwd) {
dc4945
         return ENOMEM;
dc4945
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
dc4945
index ba5c54e58e9b0b5dcc657d88c530c237e321495c..716b71333050f1d05063289f9890918b86ddb108 100644
dc4945
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
dc4945
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
dc4945
@@ -1087,3 +1087,12 @@ void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg)
dc4945
     *cfg = NULL;
dc4945
 };
dc4945
 
dc4945
+int ipapwd_check_max_pwd_len(size_t len, char **errMesg) {
dc4945
+    if (len > IPAPWD_PASSWORD_MAX_LEN) {
dc4945
+        LOG("%s\n", ipapwd_password_max_len_errmsg);
dc4945
+        *errMesg = ipapwd_password_max_len_errmsg;
dc4945
+        return LDAP_CONSTRAINT_VIOLATION;
dc4945
+    }
dc4945
+    return 0;
dc4945
+}
dc4945
+
dc4945
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
dc4945
index f92706810d875cc6c7d8bc7a676c13ecc5d50e54..be413742cd2d54ab8bc7c51e6600b3dbbd26cec7 100644
dc4945
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
dc4945
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
dc4945
@@ -318,6 +318,11 @@ parse_req_done:
dc4945
 		goto free_and_return;
dc4945
 	}
dc4945
 
dc4945
+        rc = ipapwd_check_max_pwd_len(strlen(newPasswd), &errMesg);
dc4945
+        if (rc) {
dc4945
+            goto free_and_return;
dc4945
+        }
dc4945
+
dc4945
 	if (oldPasswd == NULL || *oldPasswd == '\0') {
dc4945
 		/* If user is authenticated, they already gave their password during
dc4945
 		the bind operation (or used sasl or client cert auth or OS creds) */
dc4945
@@ -1661,6 +1666,14 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
dc4945
 
dc4945
     } else {
dc4945
 
dc4945
+        if (password != NULL) {
dc4945
+            /* if password was passed-in, check its length */
dc4945
+            rc = ipapwd_check_max_pwd_len(strlen(password), &err_msg);
dc4945
+            if (rc) {
dc4945
+                goto free_and_return;
dc4945
+            }
dc4945
+	}
dc4945
+
dc4945
         /* check if we are allowed to *write* keys */
dc4945
         acl_ok = is_allowed_to_access_attr(pb, bind_dn, target_entry,
dc4945
                                            WRITEKEYS_OP_CHECK, NULL,
dc4945
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
dc4945
index 31c76b3f1a3854a5126bf6c7bbb9bf7b3bcf02e7..5a49fa7e6c787f15b641da794ec5ee3e7a525292 100644
dc4945
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
dc4945
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
dc4945
@@ -133,6 +133,7 @@ int ipapwd_set_extradata(const char *dn,
dc4945
                          time_t unixtime);
dc4945
 void ipapwd_free_slapi_value_array(Slapi_Value ***svals);
dc4945
 void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg);
dc4945
+int ipapwd_check_max_pwd_len(size_t len, char **errMesg);
dc4945
 
dc4945
 /* from encoding.c */
dc4945
 struct ipapwd_keyset {
dc4945
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
dc4945
index 001f615ecdb87ac62fe237d5d9a932f0292c2e24..04cd2b10f3ba4375e6a278afe87cbd9d257d528f 100644
dc4945
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
dc4945
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
dc4945
@@ -278,6 +278,10 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
dc4945
                 rc = LDAP_CONSTRAINT_VIOLATION;
dc4945
                 slapi_ch_free_string(&userpw);
dc4945
             } else {
dc4945
+                rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg);
dc4945
+                if (rc) {
dc4945
+                    goto done;
dc4945
+                }
dc4945
                 userpw = slapi_ch_strdup(userpw_clear);
dc4945
             }
dc4945
 
dc4945
@@ -560,6 +564,11 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
dc4945
                 goto done;
dc4945
             }
dc4945
             bv = lmod->mod_bvalues[0];
dc4945
+
dc4945
+            rc = ipapwd_check_max_pwd_len(bv->bv_len, &errMesg);
dc4945
+            if (rc) {
dc4945
+                goto done;
dc4945
+            }
dc4945
             slapi_ch_free_string(&unhashedpw);
dc4945
             unhashedpw = slapi_ch_malloc(bv->bv_len+1);
dc4945
             if (!unhashedpw) {
dc4945
@@ -782,7 +791,12 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
dc4945
     if (! unhashedpw && (gen_krb_keys || is_smb || is_ipant)) {
dc4945
         if ((userpw != NULL) && ('{' == userpw[0])) {
dc4945
             if (0 == strncasecmp(userpw, "{CLEAR}", strlen("{CLEAR}"))) {
dc4945
-                unhashedpw = slapi_ch_strdup(&userpw[strlen("{CLEAR}")]);
dc4945
+                const char *userpw_clear = &userpw[strlen("{CLEAR}")];
dc4945
+                rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg);
dc4945
+                if (rc) {
dc4945
+                    goto done;
dc4945
+                }
dc4945
+                unhashedpw = slapi_ch_strdup(userpw_clear);
dc4945
                 if (NULL == unhashedpw) {
dc4945
                     LOG_OOM();
dc4945
                     rc = LDAP_OPERATIONS_ERROR;
dc4945
@@ -1416,6 +1430,8 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
dc4945
     time_t expire_time;
dc4945
     char *principal_expire = NULL;
dc4945
     struct tm expire_tm;
dc4945
+    int rc = LDAP_INVALID_CREDENTIALS;
dc4945
+    char *errMesg = NULL;
dc4945
 
dc4945
     /* get BIND parameters */
dc4945
     ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &target_sdn);
dc4945
@@ -1477,8 +1493,14 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
dc4945
         goto invalid_creds;
dc4945
 
dc4945
     /* Ensure that there is a password. */
dc4945
-    if (credentials->bv_len == 0)
dc4945
+    if (credentials->bv_len == 0) {
dc4945
         goto invalid_creds;
dc4945
+    } else {
dc4945
+        rc = ipapwd_check_max_pwd_len(credentials->bv_len, &errMesg);
dc4945
+        if (rc) {
dc4945
+            goto invalid_creds;
dc4945
+        }
dc4945
+    }
dc4945
 
dc4945
     /* Authenticate the user. */
dc4945
     ret = ipapwd_authenticate(dn, entry, credentials);
dc4945
@@ -1502,8 +1524,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
dc4945
 invalid_creds:
dc4945
     slapi_entry_free(entry);
dc4945
     slapi_sdn_free(&sdn;;
dc4945
-    slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS,
dc4945
-                           NULL, NULL, 0, NULL);
dc4945
+    slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
dc4945
     return 1;
dc4945
 }
dc4945
 
dc4945
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
dc4945
index a14a324ec2db26400aa67d2fc61f9c30b9b1d045..715a1f1a8f4105a470cc6f205a6bb9bc9db030e0 100644
dc4945
--- a/ipatests/test_integration/test_commands.py
dc4945
+++ b/ipatests/test_integration/test_commands.py
dc4945
@@ -33,6 +33,7 @@ from ipatests.test_integration.base import IntegrationTest
dc4945
 from ipatests.pytest_ipa.integration import tasks
dc4945
 from ipaplatform.tasks import tasks as platform_tasks
dc4945
 from ipatests.pytest_ipa.integration.create_external_ca import ExternalCA
dc4945
+from ipapython.ipautil import ipa_generate_password
dc4945
 
dc4945
 logger = logging.getLogger(__name__)
dc4945
 
dc4945
@@ -337,6 +338,84 @@ class TestIPACommand(IntegrationTest):
dc4945
         except CalledProcessError:
dc4945
             pytest.fail("Password change failed when it should not")
dc4945
 
dc4945
+    def test_huge_password(self):
dc4945
+        user = 'toolonguser'
dc4945
+        hostname = 'toolong.{}'.format(self.master.domain.name)
dc4945
+        huge_password = ipa_generate_password(min_len=1536)
dc4945
+        original_passwd = 'Secret123'
dc4945
+        master = self.master
dc4945
+        base_dn = str(master.domain.basedn)  # pylint: disable=no-member
dc4945
+
dc4945
+        # Create a user with a password that is too long
dc4945
+        tasks.kinit_admin(master)
dc4945
+        add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=huge_password)
dc4945
+        result = master.run_command(['ipa', 'user-add', user,
dc4945
+                                     '--first', user,
dc4945
+                                     '--last', user,
dc4945
+                                     '--password'],
dc4945
+                                    stdin_text=add_password_stdin_text,
dc4945
+                                    raiseonerr=False)
dc4945
+        assert result.returncode != 0
dc4945
+
dc4945
+        # Try again with a normal password
dc4945
+        add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=original_passwd)
dc4945
+        master.run_command(['ipa', 'user-add', user,
dc4945
+                            '--first', user,
dc4945
+                            '--last', user,
dc4945
+                            '--password'],
dc4945
+                           stdin_text=add_password_stdin_text)
dc4945
+
dc4945
+        # kinit as that user in order to modify the pwd
dc4945
+        user_kinit_stdin_text = "{old}\n%{new}\n%{new}\n".format(
dc4945
+            old=original_passwd,
dc4945
+            new=original_passwd)
dc4945
+        master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text)
dc4945
+        # sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most
dc4945
+        # a 1s precision)
dc4945
+        time.sleep(1)
dc4945
+        # perform ldapmodify on userpassword as dir mgr
dc4945
+        entry_ldif = textwrap.dedent("""
dc4945
+            dn: uid={user},cn=users,cn=accounts,{base_dn}
dc4945
+            changetype: modify
dc4945
+            replace: userpassword
dc4945
+            userpassword: {new_passwd}
dc4945
+        """).format(
dc4945
+            user=user,
dc4945
+            base_dn=base_dn,
dc4945
+            new_passwd=huge_password)
dc4945
+
dc4945
+        result = tasks.ldapmodify_dm(master, entry_ldif, raiseonerr=False)
dc4945
+        assert result.returncode != 0
dc4945
+
dc4945
+        # ask_password in ipa-getkeytab will complain about too long password
dc4945
+        keytab_file = os.path.join(self.master.config.test_dir,
dc4945
+                                   'user.keytab')
dc4945
+        password_stdin_text = "{pwd}\n{pwd}".format(pwd=huge_password)
dc4945
+        result = self.master.run_command(['ipa-getkeytab',
dc4945
+                                          '-p', user,
dc4945
+                                          '-P',
dc4945
+                                          '-k', keytab_file,
dc4945
+                                          '-s', self.master.hostname],
dc4945
+                                         stdin_text=password_stdin_text,
dc4945
+                                         raiseonerr=False)
dc4945
+        assert result.returncode != 0
dc4945
+        assert "clear-text password is too long" in result.stderr_text
dc4945
+
dc4945
+        # Create a host with a user-set OTP that is too long
dc4945
+        tasks.kinit_admin(master)
dc4945
+        result = master.run_command(['ipa', 'host-add', '--force',
dc4945
+                                     hostname,
dc4945
+                                     '--password', huge_password],
dc4945
+                                    raiseonerr=False)
dc4945
+        assert result.returncode != 0
dc4945
+
dc4945
+        # Try again with a valid password
dc4945
+        result = master.run_command(['ipa', 'host-add', '--force',
dc4945
+                                     hostname,
dc4945
+                                     '--password', original_passwd],
dc4945
+                                    raiseonerr=False)
dc4945
+        assert result.returncode == 0
dc4945
+
dc4945
     def test_change_selinuxusermaporder(self):
dc4945
         """
dc4945
         An update file meant to ensure a more sane default was
dc4945
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
dc4945
index c09c3daa505655f2e5292a79c03683faa75ad244..1ba6d25eecb27935ffb14923015f08745aad20fe 100644
dc4945
--- a/util/ipa_krb5.c
dc4945
+++ b/util/ipa_krb5.c
dc4945
@@ -31,6 +31,13 @@
dc4945
 
dc4945
 #include "ipa_krb5.h"
dc4945
 
dc4945
+#define TOSTR(x) STR(x)
dc4945
+#define STR(x) #x
dc4945
+const char *ipapwd_password_max_len_errmsg = \
dc4945
+    "clear-text password is too long (max " \
dc4945
+    TOSTR(IPAPWD_PASSWORD_MAX_LEN) \
dc4945
+    " chars)!";
dc4945
+
dc4945
 /* Salt types */
dc4945
 #define KRB5P_SALT_SIZE 16
dc4945
 
dc4945
@@ -125,6 +132,13 @@ krb5_error_code ipa_krb5_generate_key_data(krb5_context krbctx,
dc4945
     int num_keys;
dc4945
     int i;
dc4945
 
dc4945
+    if ((pwd.data != NULL) && (pwd.length > IPAPWD_PASSWORD_MAX_LEN)) {
dc4945
+        kerr = E2BIG;
dc4945
+        krb5_set_error_message(krbctx, kerr, "%s",
dc4945
+                               ipapwd_password_max_len_errmsg);
dc4945
+        return kerr;
dc4945
+    }
dc4945
+
dc4945
     num_keys = num_encsalts;
dc4945
     keys = calloc(num_keys, sizeof(krb5_key_data));
dc4945
     if (!keys) {
dc4945
@@ -970,6 +984,10 @@ int create_keys(krb5_context krbctx,
dc4945
     if (password) {
dc4945
         key_password.data = password;
dc4945
         key_password.length = strlen(password);
dc4945
+        if (key_password.length > IPAPWD_PASSWORD_MAX_LEN) {
dc4945
+            *err_msg = _("Password is too long!\n");
dc4945
+            return 0;
dc4945
+        }
dc4945
 
dc4945
         realm = krb5_princ_realm(krbctx, princ);
dc4945
     }
dc4945
diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h
dc4945
index b039c1a7f3d0bc215376f8f1dd2ac93e75a0c626..8392a85b6740ece1ba7085a4733ea0f2f6b1fe64 100644
dc4945
--- a/util/ipa_krb5.h
dc4945
+++ b/util/ipa_krb5.h
dc4945
@@ -30,6 +30,9 @@ struct keys_container {
dc4945
 #define KEYTAB_RET_OID "2.16.840.1.113730.3.8.10.2"
dc4945
 #define KEYTAB_GET_OID "2.16.840.1.113730.3.8.10.5"
dc4945
 
dc4945
+#define IPAPWD_PASSWORD_MAX_LEN 1000
dc4945
+extern const char *ipapwd_password_max_len_errmsg;
dc4945
+
dc4945
 int krb5_klog_syslog(int, const char *, ...);
dc4945
 
dc4945
 void
dc4945
-- 
dc4945
2.25.2
dc4945