[2721] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

telnet/416: password length limited to 8 chars with insecure telnet

daemon@ATHENA.MIT.EDU (William Kessler)
Fri Apr 11 11:15:59 1997

Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: hartmans@MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, William Kessler <kessler@celebration.net>
Date: Fri, 11 Apr 1997 10:11:24 -0500 (EST)
From: William Kessler <kessler@celebration.net>
To: krb5-bugs@MIT.EDU


>Number:         416
>Category:       telnet
>Synopsis:       non-secure telnet limited to 8 char passwords
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    hartmans
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Fri Apr 11 11:12:00 EDT 1997
>Last-Modified:
>Originator:     William Kessler
>Organization:
William K. Kessler   voice: +1 317 570 3063  fax: +1 317 570 3297
AT&T                 email: kessler@celebration.net
6612 E. 75th St.
Indianapolis, IN  46250
>Release:        1.0
>Environment:
	 X86 FreeBSD 2.1+
System: FreeBSD indy.celebration.net 2.1-STABLE FreeBSD 2.1-STABLE #1: Mon Apr 22 11:18:58 EST 1996 toor@indy.celebration.net:/usr4/sys/compile/EXP i386


>Description:
	
A non-secure telnet to a system deamon /usr/local/sbin/telnetd -a none
will not accept users with passwords longer than 8 characters.
>How-To-Repeat:
	
Locally create an account with a password longer than 8 characters and no KDC entries.
Then telnet to that machine and try an insecure login using that user id/password.
The attempt will fail while login accounts with 8 character passwords will work.
>Fix:
	
Have users select shorter passwords if access from insecure client is required.

>Audit-Trail:
>Unformatted:
X-send-pr-version: 3.99



home help back first fref pref prev next nref lref last post