Bug 57839

Summary: Incorrect behaviour of crypt passwords
Product: [Retired] Red Hat Linux Reporter: Jan Labanowski <jkl>
Component: passwdAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Aaron Brown <abrown>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-12-27 16:08:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Labanowski 2001-12-27 16:08:36 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.78 [en] (X11; U; Linux 2.4.9-13 i686)

Description of problem:
I am running as root and I am changing a password for user bob as:
passwd bob
New password: 123456789
Retype new pasword: 123456789
passwd: all authentication tokens updated successfully
Then I want to log in as bob. Unfortunately, when I use the
123456789 as password, I will not be let in. But when I use
12345678 as password, I will be let in. This is for crypt passwords.
I understand that only 8-characters of the password are in fact
used, but the salt is computed from the whole password (I assume this
is your bug). Please correct it, since it is very anoying to count
letters in my passwords.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Log in as root and change the password for the user account to
  be longer than 8 characters, e.g., 123456789
  It is assumed that you chose the crypt passwords (not MD5)
2.Try to log in to the account with password 123456789. You will fail
3.Try to log in to the account with 12345678 (1st 8 chars) and you are in.
	

Expected Results:  The necessary truncation of the password should be done
withing software, not by the user counting characters in his/her password.
This is a new behaviour in 7.2

Additional info:
Comment 1 Nalin Dahyabhai 2002-01-18 18:02:13 UTC 
This should be resolved in the pam errata at:
https://www.redhat.com/support/errata/RHBA-2001-149.html
Please reopen this bug ID if you find that this is not the case.