Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
AW: [suse-security] initial substring matches passwd when su'ing to root
  • From: Peer Stefan <stefan.peer@xxxxxxxx>
  • Date: Mon, 17 Dec 2001 09:34:54 +0100
  • Message-id: <3559BA35534FD511A1200002557C39B0AF5F@xxxxxxxxxxxxxxxxxxxxx>
If you want to enable longer passwords (more than 8 characters) you have to
edit /etc/login.defs.
There should be an entry
PASS_MIN_LEN 5
and another one
PASS_MAX_LEN 8
which means, any password with 5 or more characters are ok and only the
first 8 characters are passed to crypt(). You can set the PASS_MAX_LEN to
any value up to 255.
An easier way to achieve this is to use the harden_suse script, which asks
you about the length of passwords.

regards,
Stefan

-----Urspr√ľngliche Nachricht-----
Von: Corvin Russell [mailto:corvinr@xxxxxxxxxxxx]
Gesendet: Montag, 17. Dezember 2001 07:10
An: John Andersen
Cc: suse-security@xxxxxxxx
Betreff: Re: [suse-security] initial substring matches passwd when
su'ing to root


On Sun, Dec 16, 2001 at 08:54:30AM -0900, John Andersen wrote:

>
> Wierd. I can't get it to fail here. How long was the full root paswd?

The original (for which an initial substring of 7 or more characters
matched) was 16 characters long. The second (matching for at least
the 8 initial characters) is 10 characters long.


> >
> > By sheer accident I noticed that an initial substring (of 7 characters
> > or longer) of my root password will return a match when I su to root.
> >
> > I have become a little lax about policing my system, which is just a
> > home workstation, however, I am wondering if this is a known problem or
if
> > it is likely that I have been compromised. Frankly, I am soon to
> > reinstall, and there is not exactly anything super-secret on my hard
> > drive, so I am not too worried... but anyhow. BTW, I changed the root
> > password and again, an initial substring (this time of 8 or more
> > characters) returns a match.


--
Corvin Russell <corvinr@xxxxxxxxxxxx>


--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx

< Previous Next >
Follow Ups