Re: [expert] User ID 8 character limit

Fri, 06 Sep 2002 09:25:44 -0700 

James Sparenberg wrote on Thu, Sep 05, 2002 at 10:33:14PM -0700 :
> 
>    Not to correct you but have you tried to login as thisisav ... It
> often works.  It definitely is true of passwords.  We had a tech who

I had not tried it when I posted, but I just did:

[todd@fiji ~]$ ssh thisisav@bikini
thisisav@bikini's password: 
Permission denied, please try again.
thisisav@bikini's password: 
Permission denied, please try again.
thisisav@bikini's password: 
Permission denied (publickey,password,keyboard-interactive).
[todd@fiji ~]$ ssh thisisaverylongname@bikini
thisisaverylongname@bikini's password: 
[thisisaverylongname@bikini ~]$

> left a nice little message as the root password on some boxes
> cashoutandgotohellyoubastards  (He was miffed)  one of the guys hit
> return too fast after only entering cashoutandgohelly (or there abouts)
> and he logged in. (Mandrake 7.2 uptodate with all applicable updates.)
> This got us experimenting by removing one letter at a time and trying to
> su to root.  When we got down to cashoutandgo ...... it worked.
> cashoutang didn't.  (passwords are now changed)  It seemed that Linux
> (RH or Mandrake) only checked the first 12 characters of the password
> string.  It will accept longer ones into it's data base but only the
> first 12 are significant.  In 9.0 however this doesn't seem to occur

You should study the crypt() function and you'll understand why (as I
recall, you are an old school programmer :).  Older unix style crypt had
8 significant characters.  Modern GNU-extension MD5 based crypt uses
something like 31 significant characters.  Which one you are using
depends on the presence or absence of "md5" in one of the password lines
in /etc/pam.d/system-auth.  The crypt function can tell which of the two
formats to use (there is a third too) by the format of the salt.  Read
that man page several times and it will become enlightening.  Play
around with the perl crypt() function and it will become even more
enlightening.

> (I'm checking now.)  IE it may be a problem that is now solved but
> wasn't in pre 9.0 systems. (Can't check 8.2 right now... X has gone
> flaky again.... but 9.0beta 4 is rock rock solid same box same drive.)

Glad to hear it :)

Blue skies...                   Todd
-- 
           MandrakeSoft USA   http://www.mandrakesoft.com
Mandrake: An amalgam of good ideas from RedHat, Debian, and MandrakeSoft.
All in all, IMHO, an unbeatable combination.   --Levi Ramsey on Cooker ML

Attachment: msg57539/pgp00000.pgp
Description: PGP signature

Reply via email to