On 12 March 2012 12:18, Robert Tilden <[email protected]> wrote: > One of our systems running ‘Scientific Linux Fermi LTS release 4.9’ is > exhibiting some odd password behavior. > > > > I can log in using a legitimate password for an account, but I can also log > in when I add random characters at the –end- of the legitimate password. > Shortened legitimate passwords don’t work, nor do nonlegitimate passwords. > It’s like the password check stops when it sees a match but doesn’t check > beyond that point. > > > > uname –a gives ‘Linux <redacted>.phys.northwestern.edu 2.6.9-101.ELsmp #1 > SMP Wed Jul 20 12:44:12 CDT 2011 x86_64 x86_64 x86_64 GNU/Linux’ >
Depends on the password hash. If the system is set up to use the old DES hash passwords then it will only look at the first 8 characters. Any characters after that would be truncated and ignored. To check to see which hash is being used for the account one can do a 'getent shadow' as root on the system. [ssmoogen@ponyo ~]$ openssl passwd -1 -salt CrapSalt Password $1$CrapSalt$QwW4h1GkbcFPhKj/DmtOk. [ssmoogen@ponyo ~]$ openssl passwd -salt CS Password CS70elGx.oAms The first example is a MD5crypt hash which has an "unlimited" length but can be around 72 characters depending on the system. The second example is the older DES style hash which is limited to 8 characters. > > Any thoughts? > > > > -- Stephen J Smoogen. "The core skill of innovators is error recovery, not failure avoidance." Randy Nelson, President of Pixar University. "Years ago my mother used to say to me,... Elwood, you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant. You may quote me." —James Stewart as Elwood P. Dowd
