[20198] in bugtraq
Re: flaw in RH ``mkpasswd'' command
daemon@ATHENA.MIT.EDU (Thomas Roessler)
Fri Apr 13 07:07:48 2001
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010412020245.C9045@sobolev.does-not-exist.org>
Date: Thu, 12 Apr 2001 02:02:45 +0200
Reply-To: Thomas Roessler <roessler@DOES-NOT-EXIST.ORG>
From: Thomas Roessler <roessler@DOES-NOT-EXIST.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <01041116323808.01025@kara>; from shez@MOLIONS.COM on Wed,
Apr 11, 2001 at 04:32:38PM +0100
Content-Transfer-Encoding: 8bit
On 2001-04-11 16:32:38 +0100, Shez wrote:
> The mkpasswd password generator that ships in the
> ``expect'' package of (at least RedHat 6.2) generates only a
> relatively small number (2^15 for the default password length) of
> passwords. Presumably this is a result of trying to apply too
> many rules of what is a ``good'' password to the generation
> process.
From a quick read of the program code, mkpasswd seeds its random
number generator from the process id, which means that the number of
different passwords is controlled by PID_MAX (which seems to be
0x8000 on current linux systems).
--
Thomas Roessler <roessler@does-not-exist.org>
