[tradigan@newrevolutions.net: RE: misc/69596: When logging in or
su'ing to root, I noticed that if you type the correct password but
add characters to the end of the correct password, the password
still passes validation and allows you to login]Reply-To: Ceri
Davies <ceri@submonkey.net>
Ceri Davies
ceri at submonkey.net
Mon Jul 26 07:20:27 PDT 2004
The following reply was made to PR misc/69596; it has been noted by GNATS.
From: Ceri Davies <ceri at submonkey.net>
To: FreeBSD Gnats Submit <freebsd-gnats-submit at FreeBSD.org>
Cc:
Subject: [tradigan at newrevolutions.net: RE: misc/69596: When logging in or su'ing to root, I noticed that if you type the correct password but add characters to the end of the correct password, the password still passes validation and allows you to login]Date: Mon, 26 Jul 2004 15:11:32 +0100
Message-ID: <20040726141132.GE24947 at submonkey.net>
Mail-Followup-To: Ceri Davies <ceri at submonkey.net>,
FreeBSD Gnats Submit <freebsd-gnats-submit at FreeBSD.org>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="hxkXGo8AKqTJ+9QI"
Content-Disposition: inline
X-PGP: finger ceri at FreeBSD.org
User-Agent: Mutt/1.5.6i
Sender: Ceri Davies <setantae at submonkey.net>
--hxkXGo8AKqTJ+9QI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Adding to audit trail.
--hxkXGo8AKqTJ+9QI
Content-Type: message/rfc822
Content-Disposition: inline
Return-path: <tradigan at newrevolutions.net>
Envelope-to: ceri at submonkey.net
Delivery-date: Mon, 26 Jul 2004 13:50:21 +0100
Received: from ns1.flncs.com ([204.0.142.254] helo=beastie.flncs.com)
by shrike.submonkey.net with smtp (Exim 4.41 (FreeBSD))
id 1Bp4vn-0002FE-82
for ceri at submonkey.net; Mon, 26 Jul 2004 13:50:21 +0100
Received: (qmail 26593 invoked by uid 89); 26 Jul 2004 11:55:01 -0000
Received: from h-66-166-153-84.phlapafg.covad.net (HELO l03ptradigan) (tradigan at newrevolutions.net@66.166.153.84)
by beastie.flncs.com with SMTP; 26 Jul 2004 11:55:01 -0000
From: "Timothy Radigan" <tradigan at newrevolutions.net>
To: "Ceri Davies" <ceri at submonkey.net>
Subject: RE: misc/69596: When logging in or su'ing to root, I noticed that if you type the correct password but add characters to the end of the correct password, the password still passes validation and allows you to login
Date: Mon, 26 Jul 2004 08:50:06 -0400
Message-ID: <ALEJJLKJDNFOODLHIENAOEDHCAAA.tradigan at newrevolutions.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
In-Reply-To: <20040726121455.GD24947 at submonkey.net>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
shrike.private.submonkey.net
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham
version=2.63
Indeed. Man I feel dumb. I didn't even put the two together. Thanks for
bringing that to my attention.
-----Original Message-----
From: Ceri Davies [mailto:setantae at submonkey.net]On Behalf Of Ceri
Davies
Sent: Monday, July 26, 2004 8:15 AM
To: Timothy Radigan
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: misc/69596: When logging in or su'ing to root, I noticed
that if you type the correct password but add characters to the end of
the correct password, the password still passes validation and allows
you to login
On Sun, Jul 25, 2004 at 11:01:06PM +0000, Timothy Radigan wrote:
> Log in using an account, type the correct password and a few extra
> characters after the correct password and try to log in. You will
> be validated and access is granted.
At a guess, I'd say that you are using DES encrypted passwords, and your
password (after appending the extra characters) is more than 8 characters
long. This is a common limitation with DES.
Ceri
--
It is not tinfoil, it is my new skin. I am a robot.
--hxkXGo8AKqTJ+9QI--
More information about the freebsd-bugs
mailing list