"min" and "max" seem to be specific to Debian, and only get used
together with the "obscure" keyword: There's a debian-specific patch
(debian/patches-applied/007_modules_pam_unix), which adds the function
obscure_msg(), where "min" and "max" get handled.

If "md5" gets used, it assumes "unlimited password length" and skips
password_check()!

It does not really check for pass_max_len otherwise, too.

Then, there is a "strange" check in obscure_msg() - at least I don't understand 
it:
+       if (oldlen <= pass_max_len && newlen <= pass_max_len)
+               return NULL;
..and the passwords passed to password_check() get limited then to pass_max_len 
(what seems to be the only use of "max").

Altogether, this looks really weird altogether

I'm using Ubuntu Feisty, pam 0.79-4ubuntu2.

btw: apart from that, limiting a password to the first X chars seems to
be bad IMHO!

** Changed in: pam (Ubuntu)
       Status: Unconfirmed => Confirmed

-- 
Documentation for pam_unix incorrect for "max=" option
https://bugs.launchpad.net/bugs/85790
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to