Bug 57839 - Incorrect behaviour of crypt passwords
Summary: Incorrect behaviour of crypt passwords
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: passwd   
(Show other bugs)
Version: 7.2
Hardware: i386 Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Aaron Brown
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-12-27 16:08 UTC by Jan Labanowski
Modified: 2007-04-18 16:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-12-27 16:08:41 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jan Labanowski 2001-12-27 16:08:36 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.78 [en] (X11; U; Linux 2.4.9-13 i686)

Description of problem:
I am running as root and I am changing a password for user bob as:
passwd bob
New password: 123456789
Retype new pasword: 123456789
passwd: all authentication tokens updated successfully
Then I want to log in as bob. Unfortunately, when I use the
123456789 as password, I will not be let in. But when I use
12345678 as password, I will be let in. This is for crypt passwords.
I understand that only 8-characters of the password are in fact
used, but the salt is computed from the whole password (I assume this
is your bug). Please correct it, since it is very anoying to count
letters in my passwords.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Log in as root and change the password for the user account to
  be longer than 8 characters, e.g., 123456789
  It is assumed that you chose the crypt passwords (not MD5)
2.Try to log in to the account with password 123456789. You will fail
3.Try to log in to the account with 12345678 (1st 8 chars) and you are in.

Expected Results:  The necessary truncation of the password should be done
withing software, not by the user counting characters in his/her password.
This is a new behaviour in 7.2

Additional info:

Comment 1 Nalin Dahyabhai 2002-01-18 18:02:13 UTC
This should be resolved in the pam errata at:
Please reopen this bug ID if you find that this is not the case.

Note You need to log in before you can comment on or make changes to this bug.