Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] initial substring matches passwd when su'ing to root
  • From: Guido Tschakert <gt@xxxxxxxxxxx>
  • Date: Mon, 17 Dec 2001 16:44:24 +0100
  • Message-id: <E16Fzw1-0000c4-00@xxxxxxxxxxxxxxxxxxxxxxxx>
Am Montag, 17. Dezember 2001 04:47 schrieben Sie:
> Hi all.
>
> By sheer accident I noticed that an initial substring (of 7 characters
> or longer) of my root password will return a match when I su to root.
>
Hi there,

One possibility to solve this problem is to use the md5-capability of pam!
You have to insert a md5 in some of the conf. files in /etc/pam.d:
e.g. in /etc/pam.d/passwd

#%PAM-1.0
auth required /lib/security/pam_unix.so nullok
account required /lib/security/pam_unix.so
password required /lib/security/pam_pwcheck.so nullok md5
password required /lib/security/pam_unix.so nullok md5
use_first_pass use_authtok
session required /lib/security/pam_unix.so

At the moment I don't know where and why you have to insert the md5's, but
this is actually what hardensuse does.
After inserting the md5's (in passwd, sshd, login etc.) you have to "renew"
your passwords with passwd and know the passwords could be longer than 8
characters.
Correct me if I'm wrong but only editing PASS_MIN_LEN and PASS_MAX_LEN isn't
enough, crypt() (with passwd) ignores everything more than 8 characters.
With md5 a hash of your password is calculated which is passed to crypt().

HTH

------------------
Guido Tschakert
Sys-Ad, SRC
------------------

< Previous Next >
References