Re: sshd bug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, Aug 11, 2010 at 04:38:22PM +0100, Matt Keating wrote:
> Hi,
> 
> I've found a bug/problem with my centos 5.5 server. Any users who have
> a password of 9 characters or more, only the first 9 characters are
> used by the OS...
> eg. i set my password to "123456789" and i try logon via ssh with
> password "123456789ofgjdfuh" - it lets me in.
>  and if i set my password to "qwertasdfGHJB" and i enter
> "qwertasdfSDWQWSDS" - it lets me in...
> 
> The 'passwd' command only recognises the first 9 characters too...
> 
> Has anyone seen this before, or know how to fix it? I feel its a major
> security risk and would like it fixed ASAP.

Sounds like you're using DES password hashes instead of the newer MD5
style.

If you take a peek at some of the password entries in your /etc/shadow
do they have a $1$ at the beginning?  If not, you're probably using DES
which is limited to 8 characters.

There are a few other places where password length, strength, etc can
be configured, however I don't recall them off the top of my head.

This is almost certainly not sshd's fault. :)

Ray
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux