On 2/28/07, Kevin Day <[EMAIL PROTECTED]> wrote: > This may only be specific to my system so here are the notable things: > - Linux-PAM (set passwords to blowfish as pam seems to handle them) > - shadow (without blowfish patch (does not work well with Linux-PAM)) > - uClibc > > Now, the problem: > 1) passwords that do not match the password fail as expected, but only > when the part that is incorrect based off the actual password size > (length) > 2) the password itself works > 3) Anything after the actual password size will pass, irregardless > > example: > > password = abcd > 1) a = fail > 2) acdd = fail > 3) acdde = fail > 4) abcd = pass > 5) abcde = pass > 6) abcd09824t6jkdjf93t293tiwegfskjeg = pass > !! > > Now, this may be directly from Linux-PAM itself, I do not know if the > shadow passwords patch without Linux-PAM has this problem. > > Can anybody reproduce this on their system (including the non-Linux > Pam shadow blowfish systems)? > The previous password was an example of what I was doing with my broken password. I should have thought to properly test different passwords as well.
I was trying to avoid using any portion of my password but it looks like part of it breaks blowfish somehow. Unfortunately, the password I am using (in which I do not want to reveal if at all possible) is the only password that will seem to break blowfish as far as I have tested. Any thoughts on this obscurity? Maybe a buffer overrun is occuring or another kind of memory leak? -- Kevin Day -- Kevin Day -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
