Re: [suse-security] Passwords
Brian Galbraith <brian.galbraith@bigfoot.com> writes:
However I was still able to log in as root using abcdefgh, AND abcdefghxy
How can this happen? I have now changed it to abcdejkl and now have proper access restored.
Unix, and Linux, only look at the first eight characters of your password. So if your password is 12345678 or 12345678910112, for Linux it's the same.
(These examples are for illustration purposes only, and bear no resemblance to the actual passwords)
Regards Brian
HTH, -- Frank Hart - mailto:frhart@home.nl SuSE Linux 6.3 - Kernel 2.2.14 on a i686 450 Mhz with 128 Mb RAM
* Frank Hart wrote on Sun, Jan 30, 2000 at 16:55 +0100:
Unix, and Linux, only look at the first eight characters of your password. So if your password is 12345678 or 12345678910112, for Linux it's the same.
BTW: Pam offers MD5 encryption for passwords I read somewhere. This should make passwords longer than 8 chars useable. Is anybody useing MD5 for passwords? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi, On Mon, Jan 31, Steffen Dettmer wrote:
* Frank Hart wrote on Sun, Jan 30, 2000 at 16:55 +0100:
Unix, and Linux, only look at the first eight characters of your password. So if your password is 12345678 or 12345678910112, for Linux it's the same.
BTW: Pam offers MD5 encryption for passwords I read somewhere. This should make passwords longer than 8 chars useable. Is anybody useing MD5 for passwords?
I have working pam_unix modules with MD5 support on ftp.suse.com. But, NIS+ does not allow MD5 passwords. With NIS, it can work, but there is no guarantee that it works and that new passwords are really MD5 ones, and not crypt one. And not every program works with MD5 passwords, because the buffers are to small. And beside Linux/*BSD there is no other Unix which really supports it. Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de SuSE GmbH Schanzaeckerstr. 10 90443 Nuernberg Linux is like a Vorlon. It is incredibly powerful, gives terse, cryptic answers and has a lot of things going on in the background.
Thorsten Kukuk writes:
On Mon, Jan 31, Steffen Dettmer wrote:
* Frank Hart wrote on Sun, Jan 30, 2000 at 16:55 +0100:
Unix, and Linux, only look at the first eight characters of your password. So if your password is 12345678 or 12345678910112, for Linux it's the same.
BTW: Pam offers MD5 encryption for passwords I read somewhere. This should make passwords longer than 8 chars useable. Is anybody useing MD5 for passwords?
I have working pam_unix modules with MD5 support on ftp.suse.com. But, NIS+ does not allow MD5 passwords. With NIS, it can work, but there is no guarantee that it works and that new passwords are really MD5 ones, and not crypt one. And not every program works with MD5 passwords, because the buffers are to small. And beside Linux/*BSD there is no other Unix which really supports it.
Solaris 2.6 ff, Tru64 and if I recall correctly HP-UX 11 ff, all support PAM. -- Real Name: Bernd Felsche Email: nospam.bernie@perth.DIALix.com.au http://www.perth.dialix.com.au/~bernie - Private HP
On Mon, Jan 31, Bernd Felsche wrote:
Thorsten Kukuk writes:
On Mon, Jan 31, Steffen Dettmer wrote:
* Frank Hart wrote on Sun, Jan 30, 2000 at 16:55 +0100:
Unix, and Linux, only look at the first eight characters of your password. So if your password is 12345678 or 12345678910112, for Linux it's the same.
BTW: Pam offers MD5 encryption for passwords I read somewhere. This should make passwords longer than 8 chars useable. Is anybody useing MD5 for passwords?
I have working pam_unix modules with MD5 support on ftp.suse.com. But, NIS+ does not allow MD5 passwords. With NIS, it can work, but there is no guarantee that it works and that new passwords are really MD5 ones, and not crypt one. And not every program works with MD5 passwords, because the buffers are to small. And beside Linux/*BSD there is no other Unix which really supports it.
Solaris 2.6 ff, Tru64 and if I recall correctly HP-UX 11 ff, all support PAM.
Yes, they support PAM, but this is not enough. The protocols you are using must also allow longer passwords. And this is very often not the case, a very lot of the protocols and of the packages have hardcoded length for the password buffer. Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de SuSE GmbH Schanzaeckerstr. 10 90443 Nuernberg Linux is like a Vorlon. It is incredibly powerful, gives terse, cryptic answers and has a lot of things going on in the background.
On Mon, 31 Jan 2000, Thorsten Kukuk wrote:
Yes, they support PAM, but this is not enough. The protocols you are using must also allow longer passwords. And this is very often not the case, a very lot of the protocols and of the packages have hardcoded length for the password buffer.
I'm not a coding expert, but I thought it was recommended practice to 'hardcode' the length of buffers, in order to limit buffer overflows. Esp. on ones like password fields, where authentication generally is NOT required before entering data into the buffer. Or have I completely missed the boat on buffer overflows? cog -- COGNITE.NET coming back online Feb 1st. |--[cognition@bigfoot.com]----[http://www.cognite.net/]--[PGP KeyID:]--| |--[The Mind is everything. What you think you become.]--[0x45FAC283]--|
I'm shure Thorsten is coding expert enough, but still here's my -,02FRS :-) On Mon, 31 Jan 2000, cogNiTioN wrote:
I'm not a coding expert, but I thought it was recommended practice to 'hardcode' the length of buffers, in order to limit buffer overflows. Esp. on ones like password fields, where authentication generally is NOT required before entering data into the buffer.
You don't have to hardcode the length o fyour field but you have to check the length of what you try to fill in. You can allocate variable length fields every time you need them but you have to handle running out of memory gracefully. Since that's a hassle you might want to stick with fixed fields in the first place. Cheers Robert -- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)
Hi, On Mon, Jan 31, cogNiTioN wrote:
On Mon, 31 Jan 2000, Thorsten Kukuk wrote:
Yes, they support PAM, but this is not enough. The protocols you are using must also allow longer passwords. And this is very often not the case, a very lot of the protocols and of the packages have hardcoded length for the password buffer.
I'm not a coding expert, but I thought it was recommended practice to 'hardcode' the length of buffers, in order to limit buffer overflows. Esp. on ones like password fields, where authentication generally is NOT required before entering data into the buffer.
Or have I completely missed the boat on buffer overflows?
I don't know, but the problem is: Some protocols (for example NIS+) reserves 14 bytes in a struct for a password. This is necessary because this struct will be encrypt. So you cannot use MD5 passwords, the buffer is to small. Other programs explicit truncate the password after 8 characters, so you lost information. Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de SuSE GmbH Schanzaeckerstr. 10 90443 Nuernberg Linux is like a Vorlon. It is incredibly powerful, gives terse, cryptic answers and has a lot of things going on in the background.
participants (6)
-
Bernd Felsche -
cogNiTioN -
Frank Hart -
Robert Casties -
Steffen Dettmer -
Thorsten Kukuk