i386/52392: Password lengths over 8 chracters are ignored
Chris Lewis
chris at digitalwaffle.net
Sun May 18 03:40:15 PDT 2003
>Number: 52392
>Category: i386
>Synopsis: Password lengths over 8 chracters are ignored
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun May 18 03:40:13 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Chris Lewis
>Release: FreeBSD 4.8-STABLE i386
>Organization:
None
>Environment:
System: FreeBSD toast.invisilogic.net 4.8-STABLE FreeBSD 4.8-STABLE #2: Mon May 5 21:03:22 BST 2003 root at toast.invisilogic.net:/usr/src/sys/compile/TOAST i386
VIA EPIA Mini-ITX, 800MHz
CPU: VIA C3 Samuel 2 (800.03-MHz 686-class CPU)
Origin = "CentaurHauls" Id = 0x673 Stepping = 3
Features=0x803035<FPU,DE,TSC,MSR,MTRR,PGE,MMX>
real memory = 266338304 (260096K bytes)
avail memory = 253939712 (247988K bytes)
>Description:
Although md5 password hashes are enabled (in login.conf, as per default), and appear to be hashing okay, password lengths over 8 characters (it would appear) are totally irrelevant.
Logins are accepted regardless of any characters that follow the first 8 of the password, i.e:
my login for a password of "thereisamooseontheloose" was accepted as:
thereisa21398172397124761248
thereisa
and any longer variations thereof.
I have not been able to reproduce this on machines running 4.5-STABLE. The bug is apparent when connecting with SSH (of the stable-included version), and when connecting via FTP using ProFTPd (these are the only two services I run that use password-based auth, so I cannot confirm whether or not the bug affects other programs).
All the latest security patches have been applied to the system since the release of 4.8-STABLE.
>How-To-Repeat:
Set yourself a password length longer than 8 characters, and try logging in with just the first 8.
>Fix:
None
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-i386
mailing list