long passwords - openSUSE Security - openSUSE Mailing Lists

newer
AW: [suse-security] DOS Attack !!

long passwords

older
DOS Attack !!

michael stone

26 Feb 2002 26 Feb '02

18:30

On two different SuSE machines (7.2 and 7.3), I am having a problem with them authenticating only from the first 8 characters of a password. Example, password is: ilovemyroot 'ilovemyr' and 'ilovemyr00t' will both pass authentication at console, and in any X applications (i.e. kdesu and kcheckpass) I have md5 enabled, and have verified the md5 entries in /etc/pam.d/passwd, /etc/pam.d/login, and /etc/pam.d/sshd Any thoughts? Anyone else with the same issues? I don't know much about pam and how it works. thanks, michael

Reply

Sign in to reply online Use email software

Show replies by date

Roman Drahtmueller

26 Feb 26 Feb

20:33

New subject: [suse-security] long passwords

On two different SuSE machines (7.2 and 7.3), I am having a problem with them authenticating only from the first 8 characters of a password.

Example, password is: ilovemyroot

'ilovemyr' and 'ilovemyr00t' will both pass authentication at console, and in any X applications (i.e. kdesu and kcheckpass)

I have md5 enabled, and have verified the md5 entries in /etc/pam.d/passwd, /etc/pam.d/login, and /etc/pam.d/sshd

Any thoughts? Anyone else with the same issues? I don't know much about pam and how it works.

Can you please verify that you really have an md5-password? If the crypted password starts with the string $1$, then it's md5. This looks like it's not md5, because the length of the password as stated in /etc/login.defs is ignored for md5.

thanks, michael

Thanks, Roman. -- - - | Roman Drahtmüller // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -

Reply

Sign in to reply online Use email software

michael stone

21:15

New subject: [suse-security] long passwords

On Tue, 26 Feb 2002, Roman Drahtmueller wrote:

Can you please verify that you really have an md5-password? If the crypted password starts with the string $1$, then it's md5. This looks like it's not md5, because the length of the password as stated in /etc/login.defs is ignored for md5.

I found the problem, I did not have a md5 password. I had changed my password with Yast2, but it does not store the password as md5. Changing it again via passwd fixed it. thanks, michael

Thanks, Roman. -- - - | Roman Drahtmüller // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Reply

Sign in to reply online Use email software

Michael Zimmermann

27 Feb 27 Feb

07:45

New subject: PAM-Entry for Yast2 (was long passwords)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At Dienstag, 26. Februar 2002 22:15 michael stone wrote:

I found the problem, I did not have a md5 password. I had changed my password with Yast2, but it does not store the password as md5.

Is there a way to tell Yast2 to generate md5-passwords? After adding 'md5' to the password-entry in /etc/pam.d/password I found that yast2 is generating md5-look-alike passwords, but is using only a two-char seed as apposed to the usual 8-char seed when using /usr/bin/passwd. So somehow yast2 might be looking at /etc/pam.d/passwd, but is not implementing the full PAM-md5 method to generate the passwords (i.e. yast2 seems to use only the usual crypt-seed of 2 characters long). Perhaps it might be an idea to have yast2 use full PAM support with it's own PAM-parameter-file like /etc/pam.s/yast2 ? Greetings Michael - -- Michael Zimmermann (Vegaa Internet Services) phone +49 89 6283 7632 hotline +49 163 823 1195 Key fingerprint = 1E47 7B99 A9D3 698D 7E35 9BB5 EF6B EEDB 696D 5811 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8fI6q72vu22ltWBERAqF3AJwPU9I46ScVQBBEiEZ8tmn8akh5kQCeIsUZ Sv2ztAj1kUhbThkKfmIpcz0= =G+88 -----END PGP SIGNATURE-----

Reply

Sign in to reply online Use email software

Roman Drahtmueller

10:06

New subject: [suse-security] PAM-Entry for Yast2 (was long passwords)

the full PAM-md5 method to generate the passwords (i.e. yast2 seems to use only the usual crypt-seed of 2 characters long).

Perhaps it might be an idea to have yast2 use full PAM support with it's own PAM-parameter-file like /etc/pam.s/yast2 ?

This approach is correct. I have passed it on to our yast2 development team, it's an open bug now. I hope it gets fixed in the future. Thanks for the suggestion and the problem.

Greetings Michael

Thanks, Roman. -- - - | Roman Drahtmüller // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -

Reply

Sign in to reply online Use email software

8096

Age (days ago)

8097

Last active (days ago)

Download

4 comments

3 participants

tags

participants (3)

michael stone
Michael Zimmermann
Roman Drahtmueller