Bugtraq mailing list archives

Re: Redhat 6.0 Password Issues

From: eparker () MINDSEC COM (Erik Parker)
Date: Sat, 11 Sep 1999 18:18:18 -0600


Yes, it is part of the UNIX crypt.. It can also
be changed very easy, however the problem with that is..
many daemons (lots of ftpd's) do not support more than 8 character
passwords. Or, they didn't a couple of years ago, I have just accepted it,
and gone on with life.

This is also all covered on redhat.com in deatil in the documentation.
You will also note in your login.defs

#
# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# Ignored if MD5_CRYPT_ENAB set to "yes".
#
#PASS_MAX_LEN           8

On Fri, 10 Sep 1999, Josh Higham wrote:

Gentleman;

I submitted what I thought was a minor issue on Redhat's handling
of passwords. Is it me? Is it something I missed? Any password you
assign over 8 characters gets cut...



This is a result of UNIX crypt (I believe).  Standard unix passwords only
handle the first 8 characters of a password; RH6.0 allows you to install MD5
passwords, which can give you additional length, if desired.


At first I thought it was my system but its not since I tested it at
home,
but then at work its the same thing:

------snip------
passwd

I typed it p4$sW3rd$ as my password
but I was able to log in using p4$sW3rD

ctrl-alt-del
bash
$
passwd
changed it to 1234567899999
and I was able to log in using:
12345678
-----endsnip-----

Does anyone else know of this?
Has anyone heard of this?

by the way I bcc'd this to Redhat as well. ;)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Yours Truly
J. Oquendo
sil () antioffline com
sil () macroshaft org


"Linux -- Where you really can go tommorow"

ID 0x1281EC4F
DH/DSS
4096/1024
CIPHER: CAST
PGP Fingerprint
46C0 6A83 E6D2 FEA6 383A  B9A6 44D3 4E77 1281 EC4F

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2

iQA/AwUBN6d/aETTTncSgexPEQLuAgCfRF5dpZii9yEPnqZ+F+
AEbzB+KL0An3mXPk+Y8lZxkr0crgw72zPX5w71=tCpK
-----END PGP SIGNATURE-----


Erik Parker
eparker () mindsec com

Current thread:

Redhat 6.0 Password Issues root3d (Sep 08)
- <Possible follow-ups>
- Re: Redhat 6.0 Password Issues Josh Higham (Sep 10)
  - Re: Redhat 6.0 Password Issues Erik Parker (Sep 11)
  - Re: Redhat 6.0 Password Issues Alan Brown (Sep 11)
    - CGI security Kerb (Sep 12)
    - Re: CGI security Ivo van der Wijk (Sep 13)
    - Re: CGI security Vladimir Dubrovin (Sep 14)
    - Re: CGI security Arturo Busleiman (Sep 14)
    - Multiple vulnerabilities in CDE Job de Haas (Sep 13)
    - Re: Multiple vulnerabilities in CDE Troy A. Bollinger (Sep 13)
    - Re: Multiple vulnerabilities in CDE Dan Astoorian (Sep 14)
    - Vulnerability in dtspcd Job de Haas (Sep 13)
    - Solaris 2.7 /usr/bin/mail Brock Tellier (Sep 13)

(Thread continues...)