[9524] in bugtraq
Re: SSH 1.x and 2.x Daemon
daemon@ATHENA.MIT.EDU (der Mouse)
Fri Feb 12 20:08:08 1999
Date: Thu, 11 Feb 1999 14:46:25 -0500
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG
> [...] However in practice one can also assume that any field longer
> than 13 characters results in a locked account.
> (This would then require custom checks to be added for systems such
> as FreeBSD which don't use the standard Unix DES 64-bit password
> encryption, but that's not so hard to do. [...])
It's not hard to do for any individual system. It's a nightmare to try
to maintain such checks in a master source tree. I know of three (I
think) free Unices and one commercial one that break the "length!=13 ->
invalid" assumption, and as CPU speed increases make the old DES-based
hashes less and less secure in practice, there will be more.
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
