Bug 42394 - PAM allows login using 8-chars password with bigcrypt
Summary: PAM allows login using 8-chars password with bigcrypt
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam   
(Show other bugs)
Version: 7.1
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Aaron Brown
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-05-27 00:27 UTC by Krzysztof Halasa
Modified: 2007-04-18 16:33 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-23 14:03:03 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
This patch should fix this problem (850 bytes, patch)
2001-05-27 00:29 UTC, Krzysztof Halasa
no flags Details | Diff

Description Krzysztof Halasa 2001-05-27 00:27:59 UTC
Description of problem:
If you are using bigcrypt (and not MD5 etc), PAM (pam-0.74-22, as shipped
with RedHat 7.1) allows login using a password truncated to 8 characters.

How reproducible:
Always

Steps to Reproduce:
test's password is "justtesting", encrypted with bigcrypt:

intrepid:~# grep bigcrypt /etc/pam.d/system-auth 
password sufficient /lib/security/pam_unix.so nullok use_authtok bigcrypt
shadow
intrepid:~# grep test /etc/shadow
test:5JU1O8vSbDEv.SfnBX/lCc5w:11468:0:99999:7:::134539204

intrepid:~$ ssh localhost
test@localhost's password: <entered "justtesting">
Last login: Sun May 27 00:55:54 2001

intrepid:~$ ssh localhost
test@localhost's password: <entered "justtestin">
Permission denied, please try again.
test@localhost's password: <entered "justtest">
Last login: Sun May 27 01:00:22 2001 from localhost

Comment 1 Krzysztof Halasa 2001-05-27 00:29:36 UTC
Created attachment 19733 [details]
This patch should fix this problem

Comment 2 Nalin Dahyabhai 2001-08-31 02:37:43 UTC
This should be fixed in 0.75-11 and later.  Please reopen this ID if you find
that this is not the case.  (The fix is complicated by the need to ignore aging
information appended to the crypted-password field as ",<somenumber>", so it's
not as simple as it might otherwise be.)

Comment 3 Kjartan Maraas 2003-03-31 20:30:46 UTC
Has this been fixed? Please confirm.


Note You need to log in before you can comment on or make changes to this bug.