If you want to enable longer passwords (more than 8 characters) you have to edit /etc/login.defs. There should be an entry PASS_MIN_LEN 5 and another one PASS_MAX_LEN 8 which means, any password with 5 or more characters are ok and only the first 8 characters are passed to crypt(). You can set the PASS_MAX_LEN to any value up to 255. An easier way to achieve this is to use the harden_suse script, which asks you about the length of passwords. regards, Stefan -----Ursprüngliche Nachricht----- Von: Corvin Russell [mailto:corvinr@sympatico.ca] Gesendet: Montag, 17. Dezember 2001 07:10 An: John Andersen Cc: suse-security@suse.com Betreff: Re: [suse-security] initial substring matches passwd when su'ing to root On Sun, Dec 16, 2001 at 08:54:30AM -0900, John Andersen wrote:
Wierd. I can't get it to fail here. How long was the full root paswd?
The original (for which an initial substring of 7 or more characters matched) was 16 characters long. The second (matching for at least the 8 initial characters) is 10 characters long.
By sheer accident I noticed that an initial substring (of 7 characters or longer) of my root password will return a match when I su to root.
I have become a little lax about policing my system, which is just a home workstation, however, I am wondering if this is a known problem or
if
it is likely that I have been compromised. Frankly, I am soon to reinstall, and there is not exactly anything super-secret on my hard drive, so I am not too worried... but anyhow. BTW, I changed the root password and again, an initial substring (this time of 8 or more characters) returns a match.
--
Corvin Russell