AW: [suse-security] initial substring matches passwd when su'ing to root
If you want to enable longer passwords (more than 8 characters) you have to edit /etc/login.defs. There should be an entry PASS_MIN_LEN 5 and another one PASS_MAX_LEN 8 which means, any password with 5 or more characters are ok and only the first 8 characters are passed to crypt(). You can set the PASS_MAX_LEN to any value up to 255. An easier way to achieve this is to use the harden_suse script, which asks you about the length of passwords. regards, Stefan -----Ursprüngliche Nachricht----- Von: Corvin Russell [mailto:corvinr@sympatico.ca] Gesendet: Montag, 17. Dezember 2001 07:10 An: John Andersen Cc: suse-security@suse.com Betreff: Re: [suse-security] initial substring matches passwd when su'ing to root On Sun, Dec 16, 2001 at 08:54:30AM -0900, John Andersen wrote:
Wierd. I can't get it to fail here. How long was the full root paswd?
The original (for which an initial substring of 7 or more characters matched) was 16 characters long. The second (matching for at least the 8 initial characters) is 10 characters long.
By sheer accident I noticed that an initial substring (of 7 characters or longer) of my root password will return a match when I su to root.
I have become a little lax about policing my system, which is just a home workstation, however, I am wondering if this is a known problem or
if
it is likely that I have been compromised. Frankly, I am soon to reinstall, and there is not exactly anything super-secret on my hard drive, so I am not too worried... but anyhow. BTW, I changed the root password and again, an initial substring (this time of 8 or more characters) returns a match.
--
Corvin Russell
On Mon, Dec 17, 2001 at 09:34:54AM +0100, Peer Stefan wrote:
If you want to enable longer passwords (more than 8 characters) you have to edit /etc/login.defs. There should be an entry PASS_MIN_LEN 5 and another one PASS_MAX_LEN 8 which means, any password with 5 or more characters are ok and only the first 8 characters are passed to crypt(). You can set the PASS_MAX_LEN to any value up to 255. An easier way to achieve this is to use the harden_suse script, which asks you about the length of passwords.
Hi Stefan,
Thanks for the reply. This is the value in my /etc/login.defs:
PASS_MAX_LEN "40"
Corvin
--
Corvin Russell
Hi, On Mon, Dec 17, 2001 at 03:59:15AM -0500, Corvin Russell wrote:
On Mon, Dec 17, 2001 at 09:34:54AM +0100, Peer Stefan wrote:
If you want to enable longer passwords (more than 8 characters) you have to edit /etc/login.defs. There should be an entry PASS_MIN_LEN 5 and another one PASS_MAX_LEN 8 which means, any password with 5 or more characters are ok and only the first 8 characters are passed to crypt(). You can set the PASS_MAX_LEN to any value up to 255. An easier way to achieve this is to use the harden_suse script, which asks you about the length of passwords.
Thanks for the reply. This is the value in my /etc/login.defs:
PASS_MAX_LEN "40"
Sorry, but the only answer here ist RTFM man login.defs: ... PASS_MAX_LEN (number) Number of significant characters in the password for crypt(). Default is 8, don't change unless your crypt() is better. This option is gnored if the "md5" option is given to the pam_pwcheck module. ... man crypt: ... By taking the lowest 7 bit of each character of the key, a 56-bit key is obtained. This 56-bit key is used to ... and 56/7 equals 8. less /usr/share/doc/packages/pam/README.md5 MD5 passwords on SuSE Linux =========================== SuSE Linux is able to handle MD5 passwords. With MD5 encryption, passwords can be longer than 8 characters (up to 128 characters). Since MD5 encryption is not compatible with the standard Unix crypt() function, most commercial Unices and some programs don't work with MD5 passwords. So be careful, if you enable this feature. HTH Johannes
participants (3)
-
Corvin Russell
-
Johannes Geiger
-
Peer Stefan