[11852] in bugtraq
Re: Redhat 6.0 Password Issues
daemon@ATHENA.MIT.EDU (Erik Parker)
Sun Sep 12 18:36:56 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9909111815430.16339-100000@noella.mindsec.com>
Date: Sat, 11 Sep 1999 18:18:18 -0600
Reply-To: Erik Parker <eparker@MINDSEC.COM>
From: Erik Parker <eparker@MINDSEC.COM>
X-To: Josh Higham <jhigham@BIGSKY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <0cd301befb9e$1c3b3780$16e1fcce@tumur.bigsky.net>
Yes, it is part of the UNIX crypt.. It can also
be changed very easy, however the problem with that is..
many daemons (lots of ftpd's) do not support more than 8 character
passwords. Or, they didn't a couple of years ago, I have just accepted it,
and gone on with life.
This is also all covered on redhat.com in deatil in the documentation.
You will also note in your login.defs
#
# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# Ignored if MD5_CRYPT_ENAB set to "yes".
#
#PASS_MAX_LEN 8
On Fri, 10 Sep 1999, Josh Higham wrote:
> >Gentleman;
> >
> >I submitted what I thought was a minor issue on Redhat's handling
> >of passwords. Is it me? Is it something I missed? Any password you
> >assign over 8 characters gets cut...
>
>
> This is a result of UNIX crypt (I believe). Standard unix passwords only
> handle the first 8 characters of a password; RH6.0 allows you to install MD5
> passwords, which can give you additional length, if desired.
>
> >
> >At first I thought it was my system but its not since I tested it at
> >home,
> >but then at work its the same thing:
> >
> >------snip------
> >passwd
> >
> >I typed it p4$sW3rd$ as my password
> >but I was able to log in using p4$sW3rD
> >
> >ctrl-alt-del
> >bash
> >$
> >passwd
> >changed it to 1234567899999
> >and I was able to log in using:
> >12345678
> >-----endsnip-----
> >
> >Does anyone else know of this?
> >Has anyone heard of this?
> >
> >by the way I bcc'd this to Redhat as well. ;)
> >
> >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> >Yours Truly
> >J. Oquendo
> >sil@antioffline.com
> >sil@macroshaft.org
> >
> >
> >"Linux -- Where you really can go tommorow"
> >
> >ID 0x1281EC4F
> >DH/DSS
> >4096/1024
> >CIPHER: CAST
> >PGP Fingerprint
> >46C0 6A83 E6D2 FEA6 383A B9A6 44D3 4E77 1281 EC4F
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: PGP Personal Privacy 6.0.2
> >
> >iQA/AwUBN6d/aETTTncSgexPEQLuAgCfRF5dpZii9yEPnqZ+F+
> >AEbzB+KL0An3mXPk+Y8lZxkr0crgw72zPX5w71=tCpK
> >-----END PGP SIGNATURE-----
>
Erik Parker
eparker@mindsec.com
