initial substring matches passwd when su'ing to root
Hi all.
By sheer accident I noticed that an initial substring (of 7 characters
or longer) of my root password will return a match when I su to root.
I have become a little lax about policing my system, which is just a
home workstation, however, I am wondering if this is a known problem or if
it is likely that I have been compromised. Frankly, I am soon to
reinstall, and there is not exactly anything super-secret on my hard
drive, so I am not too worried... but anyhow. BTW, I changed the root
password and again, an initial substring (this time of 8 or more
characters) returns a match.
TIA
Corvin
--
Corvin Russell
Wierd. I can't get it to fail here. How long was the full root paswd? On Sunday 16 December 2001 06:47 pm, Corvin Russell wrote:
Hi all.
By sheer accident I noticed that an initial substring (of 7 characters or longer) of my root password will return a match when I su to root.
I have become a little lax about policing my system, which is just a home workstation, however, I am wondering if this is a known problem or if it is likely that I have been compromised. Frankly, I am soon to reinstall, and there is not exactly anything super-secret on my hard drive, so I am not too worried... but anyhow. BTW, I changed the root password and again, an initial substring (this time of 8 or more characters) returns a match.
TIA
Corvin
-- _________________________________ John Andersen / Juneau Alaska
On Sun, Dec 16, 2001 at 08:54:30AM -0900, John Andersen wrote:
Wierd. I can't get it to fail here. How long was the full root paswd?
The original (for which an initial substring of 7 or more characters matched) was 16 characters long. The second (matching for at least the 8 initial characters) is 10 characters long.
By sheer accident I noticed that an initial substring (of 7 characters or longer) of my root password will return a match when I su to root.
I have become a little lax about policing my system, which is just a home workstation, however, I am wondering if this is a known problem or if it is likely that I have been compromised. Frankly, I am soon to reinstall, and there is not exactly anything super-secret on my hard drive, so I am not too worried... but anyhow. BTW, I changed the root password and again, an initial substring (this time of 8 or more characters) returns a match.
--
Corvin Russell
It doesn't matter anymore, since it's not the password, so:
The original root password was h4rsroohXL9700_q
It matched with h4rsroo or longer.
Corvin
--
Corvin Russell
Am Montag, 17. Dezember 2001 04:47 schrieben Sie:
Hi all.
By sheer accident I noticed that an initial substring (of 7 characters or longer) of my root password will return a match when I su to root.
Hi there, One possibility to solve this problem is to use the md5-capability of pam! You have to insert a md5 in some of the conf. files in /etc/pam.d: e.g. in /etc/pam.d/passwd #%PAM-1.0 auth required /lib/security/pam_unix.so nullok account required /lib/security/pam_unix.so password required /lib/security/pam_pwcheck.so nullok md5 password required /lib/security/pam_unix.so nullok md5 use_first_pass use_authtok session required /lib/security/pam_unix.so At the moment I don't know where and why you have to insert the md5's, but this is actually what hardensuse does. After inserting the md5's (in passwd, sshd, login etc.) you have to "renew" your passwords with passwd and know the passwords could be longer than 8 characters. Correct me if I'm wrong but only editing PASS_MIN_LEN and PASS_MAX_LEN isn't enough, crypt() (with passwd) ignores everything more than 8 characters. With md5 a hash of your password is calculated which is passed to crypt(). HTH ------------------ Guido Tschakert Sys-Ad, SRC ------------------
participants (3)
-
Corvin Russell
-
Guido Tschakert
-
John Andersen