Your message dated Wed, 2 Mar 2011 16:50:53 -0800
with message-id <[email protected]>
and subject line Re: Bug#616161: Password >= 8 chars can not be changed to one
that starts with the same 8 chars
has caused the Debian Bug report #616161,
regarding Password >= 8 chars can not be changed to one that starts with the
same 8 chars
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
616161: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616161
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: pam
Version: 1.1.1-2
quilt patch 007_modules_pam_unix adds a check to see if the password you
are changing to is the same as the old password. It contains this comment:
/* The traditional crypt() truncates passwords to 8 chars. It is
possible to circumvent the above checks by choosing an easy
8-char password and adding some random characters to it...
Example: "password$%^&*123". So check it again, this time
truncated to the maximum length. Idea from npasswd. --marekm */
So it appears to intentionally not allow the first 8 characters to
remain the same in case ONLY the first 8 characters actually matter.
This no longer seems to be the case, and so I think this second test
should be dropped.
--- End Message ---
--- Begin Message ---
On Wed, Mar 02, 2011 at 04:39:07PM -0500, Phillip Susi wrote:
> quilt patch 007_modules_pam_unix adds a check to see if the password you
> are changing to is the same as the old password. It contains this comment:
> /* The traditional crypt() truncates passwords to 8 chars. It is
> possible to circumvent the above checks by choosing an easy
> 8-char password and adding some random characters to it...
> Example: "password$%^&*123". So check it again, this time
> truncated to the maximum length. Idea from npasswd. --marekm */
>
> So it appears to intentionally not allow the first 8 characters to
> remain the same in case ONLY the first 8 characters actually matter.
> This no longer seems to be the case, and so I think this second test
> should be dropped.
As stated in https://bugs.launchpad.net/ubuntu/+source/pam/+bug/600749, I
believe the code is correct and that you have misinterpreted the comment.
Please do not forward Ubuntu bugs to the Debian pam package based entirely
on speculation about the source of a bug; I am subscribed to the Ubuntu pam
bugs anyway, so this just adds administrative overhead.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
[email protected] [email protected]
signature.asc
Description: Digital signature
--- End Message ---
