bug: backslashes preceding numbers in passwords
Teddy Hogeborn
teddy at recompile.se
Sun Apr 24 02:08:07 CEST 2022
Jesse Norell <jesse at kci.net> writes:
> In troubleshooting a client which did not work to unlock the disk at
> boot, I found that passwords with a backslash preceding a number are
> mishandled. Eg. here the two char sequence '\1' is converted to the
> single char 001:
>
> # KEY='test\1test\two'
> # echo -e "${KEY}\n${KEY}" | mandos-keygen --password
>
> (added output to mandos server)
>
> # echo ${KEY} | od -c
> 0000000 t e s t \ 1 t e s t \ t w o \n
> 0000017
>
> # /usr/lib/x86_64-linux-gnu/mandos/plugins.d/mandos-client --pubkey=/etc/keys/mandos/pubkey.txt --seckey=/etc/keys/mandos/seckey.txt --tls-pubkey=/etc/keys/mandos/tls-pubkey.pem --tls-privkey=/etc/keys/mandos/tls-privkey.pem | od -c
> 0000000 t e s t 001 t e s t \t w o
> 0000014
>
> This is with mandos-client 1.8.14-1 on debian 11 (server is mandos
> 1.8.14-1~bpo10+1 on debian 10, but I think it's a client issue).
Thank you for reporting this bug! The bug is now fixed in trunk.
The bug is actually not in the client, but in the mandos-keygen command.
This means that the incorrect password is what is stored on the server
(in clients.conf). (Happily, this also means that all clients will
still reboot successfully after this fix has been released.)
/Teddy Hogeborn
--
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20220424/c32a109b/attachment.sig>
More information about the Mandos-Dev
mailing list