tags 406046 normal
thanks
On Mon, Jan 08, 2007 at 09:13:22AM +0100, [EMAIL PROTECTED] wrote:
> Package: passwd
> Version: 1:4.0.18.1-6
> Severity: important
>
> Wehen using useradd with an encrypted password the password is limited to
> eight caracters but this is not
> mentioned anywhere.
> Example: Cleartext password "testuserpass" makes encrypted password
> "33nGdctTISeok". The system then accept
> "testuser" as password when loging in.
> Since this is not mentioned anywhere it poses a security risk even if one
> uses complex password but the
> 'complexity' is after the first eight characters (which might be a word
> easily cracked)
How did you created the user. useradd creates the user, but do not set a
password.
Also, the encrypted password you mentioned is not an MD5 password.
(it's for example the output of `mkpasswd testuserpasssdf 33`)
I suppose your system is not MD5 enabled.
Only MD5 passwords can be longer than 8 characters.
As MD5 passwords is the default on Debian, I'm lowering the severity of
this bug.
I'm interrested in the following point:
* How did you created the user?
* How did you set the user's password?
* What's your /etc/pam.d/passwd (and other included files)? In
particular, does it contain something like:
password required pam_unix.so md5
Kind Regards,
--
Nekral
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
