Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 18 May 2003 11:35:00 +0100 (BST)
From:      Chris Lewis <chris@digitalwaffle.net>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   i386/52392: Password lengths over 8 chracters are ignored
Message-ID:  <200305181035.h4IAZ0NX051128@toast.invisilogic.net>
Resent-Message-ID: <200305181040.h4IAeEnt037603@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         52392
>Category:       i386
>Synopsis:       Password lengths over 8 chracters are ignored
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 18 03:40:13 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Chris Lewis
>Release:        FreeBSD 4.8-STABLE i386
>Organization:
None
>Environment:
System: FreeBSD toast.invisilogic.net 4.8-STABLE FreeBSD 4.8-STABLE #2: Mon May 5 21:03:22 BST 2003 root@toast.invisilogic.net:/usr/src/sys/compile/TOAST i386


VIA EPIA Mini-ITX, 800MHz
CPU: VIA C3 Samuel 2 (800.03-MHz 686-class CPU)
  Origin = "CentaurHauls"  Id = 0x673  Stepping = 3
  Features=0x803035<FPU,DE,TSC,MSR,MTRR,PGE,MMX>
real memory  = 266338304 (260096K bytes)
avail memory = 253939712 (247988K bytes)

>Description:
Although md5 password hashes are enabled (in login.conf, as per default), and appear to be hashing okay, password lengths over 8 characters (it would appear) are totally irrelevant.

Logins are accepted regardless of any characters that follow the first 8 of the password, i.e:

my login for a password of "thereisamooseontheloose" was accepted as:
thereisa21398172397124761248
thereisa

and any longer variations thereof.

I have not been able to reproduce this on machines running 4.5-STABLE. The bug is apparent when connecting with SSH (of the stable-included version), and when connecting via FTP using ProFTPd (these are the only two services I run that use password-based auth, so I cannot confirm whether or not the bug affects other programs).

All the latest security patches have been applied to the system since the release of 4.8-STABLE.

>How-To-Repeat:
Set yourself a password length longer than 8 characters, and try logging in with just the first 8.

>Fix:
None
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305181035.h4IAZ0NX051128>