* Alan DeKok: > That's an issue, but a rare one IMHO. The user has to exist on the > system. So this isn't a remote DoS. Could you elaborate on this assessment? Is this because typical data sources for SSHA passwords limit the length of the salt and thus the length of the SSHA hash? Florian (Debian security team)