Hi, On Mon, Jan 31, cogNiTioN wrote:
On Mon, 31 Jan 2000, Thorsten Kukuk wrote:
Yes, they support PAM, but this is not enough. The protocols you are using must also allow longer passwords. And this is very often not the case, a very lot of the protocols and of the packages have hardcoded length for the password buffer.
I'm not a coding expert, but I thought it was recommended practice to 'hardcode' the length of buffers, in order to limit buffer overflows. Esp. on ones like password fields, where authentication generally is NOT required before entering data into the buffer.
Or have I completely missed the boat on buffer overflows?
I don't know, but the problem is: Some protocols (for example NIS+) reserves 14 bytes in a struct for a password. This is necessary because this struct will be encrypt. So you cannot use MD5 passwords, the buffer is to small. Other programs explicit truncate the password after 8 characters, so you lost information. Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de SuSE GmbH Schanzaeckerstr. 10 90443 Nuernberg Linux is like a Vorlon. It is incredibly powerful, gives terse, cryptic answers and has a lot of things going on in the background.