[16602] in Athena Bugs
sun4 8.2.9: telnet
daemon@ATHENA.MIT.EDU (Owen W Ozier)
Thu Jan 14 10:29:59 1999
To: bugs@MIT.EDU
Date: Thu, 14 Jan 1999 10:29:54 EST
From: Owen W Ozier <ooze@MIT.EDU>
System name: home-on-the-dome.mit.edu
Type and version: SPARC/5 8.2.9 (with mkserv)
Display type: unknown
What were you trying to do?
Log in, by way of telnet.
What's wrong:
The first log in is fine. After that: If you log in a second
time, on the same dialup machine, if you type your entire password
(provided that it is at least eight characters long) and follow it
with any sequence of characters, Kerberos reports "Password
incorrect" but it logs you in anyway, albeit without tickets.
Your password must be at least eight characters,
and it has to be at least your second login on that machine,
but it need not be *from* the same machine.
What should have happened:
Well, it occurs to me that it shouldn't have logged me in when I
typed my password incorrectly (with additional characters).
I'm not particularly upset - this doesn't seem to be a big security
hole, since it seems you need to know the whole password in order
to get into this state. I just wonder if this is already a known
phenomenology.
Please describe any relevant documentation references:
I can provide more specific examples, but I did experiments with
several different usernames, and several different password lengths,
on several different dialups, with several different strings of
characters after the password.
Is this a standard mode of athena operation?
________________________________________________________________________
Owen W. Ozier ooze@mit.edu
69 Magazine St., Apt. #2 ooze@ai.mit.edu
Cambridge, MA 02139 ooze@psyche.mit.edu
(617) 491 2293 http://web.mit.edu/ooze/Web/home.html
