Description of problem: If you are using bigcrypt (and not MD5 etc), PAM (pam-0.74-22, as shipped with RedHat 7.1) allows login using a password truncated to 8 characters. How reproducible: Always Steps to Reproduce: test's password is "justtesting", encrypted with bigcrypt: intrepid:~# grep bigcrypt /etc/pam.d/system-auth password sufficient /lib/security/pam_unix.so nullok use_authtok bigcrypt shadow intrepid:~# grep test /etc/shadow test:5JU1O8vSbDEv.SfnBX/lCc5w:11468:0:99999:7:::134539204 intrepid:~$ ssh localhost test@localhost's password: <entered "justtesting"> Last login: Sun May 27 00:55:54 2001 intrepid:~$ ssh localhost test@localhost's password: <entered "justtestin"> Permission denied, please try again. test@localhost's password: <entered "justtest"> Last login: Sun May 27 01:00:22 2001 from localhost
Created attachment 19733 [details] This patch should fix this problem
This should be fixed in 0.75-11 and later. Please reopen this ID if you find that this is not the case. (The fix is complicated by the need to ignore aging information appended to the crypted-password field as ",<somenumber>", so it's not as simple as it might otherwise be.)
Has this been fixed? Please confirm.