From owner-freebsd-i386@FreeBSD.ORG Sun May 18 03:40:15 2003 Return-Path: Delivered-To: freebsd-i386@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7753137B404 for ; Sun, 18 May 2003 03:40:15 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3293E43FAF for ; Sun, 18 May 2003 03:40:14 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h4IAeEUp037604 for ; Sun, 18 May 2003 03:40:14 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h4IAeEnt037603; Sun, 18 May 2003 03:40:14 -0700 (PDT) Resent-Date: Sun, 18 May 2003 03:40:14 -0700 (PDT) Resent-Message-Id: <200305181040.h4IAeEnt037603@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-i386@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Chris Lewis Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B31437B401 for ; Sun, 18 May 2003 03:35:15 -0700 (PDT) Received: from toast.invisilogic.net (toast.invisilogic.net [193.201.71.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 676E243FAF for ; Sun, 18 May 2003 03:35:14 -0700 (PDT) (envelope-from chris@toast.invisilogic.net) Received: from localhost.invisilogic.net ([127.0.0.1] helo=toast.invisilogic.net) by toast.invisilogic.net with esmtp (Exim 3.36 #1) id 19HLVN-000DIi-00 for FreeBSD-gnats-submit@freebsd.org; Sun, 18 May 2003 11:35:01 +0100 Received: (from chris@localhost) by toast.invisilogic.net (8.12.8p1/8.12.8/Submit) id h4IAZ0NX051128; Sun, 18 May 2003 11:35:00 +0100 (BST) Message-Id: <200305181035.h4IAZ0NX051128@toast.invisilogic.net> Date: Sun, 18 May 2003 11:35:00 +0100 (BST) From: Chris Lewis To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: i386/52392: Password lengths over 8 chracters are ignored X-BeenThere: freebsd-i386@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Lewis List-Id: I386-specific issues for FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 May 2003 10:40:15 -0000 >Number: 52392 >Category: i386 >Synopsis: Password lengths over 8 chracters are ignored >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-i386 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun May 18 03:40:13 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Chris Lewis >Release: FreeBSD 4.8-STABLE i386 >Organization: None >Environment: System: FreeBSD toast.invisilogic.net 4.8-STABLE FreeBSD 4.8-STABLE #2: Mon May 5 21:03:22 BST 2003 root@toast.invisilogic.net:/usr/src/sys/compile/TOAST i386 VIA EPIA Mini-ITX, 800MHz CPU: VIA C3 Samuel 2 (800.03-MHz 686-class CPU) Origin = "CentaurHauls" Id = 0x673 Stepping = 3 Features=0x803035 real memory = 266338304 (260096K bytes) avail memory = 253939712 (247988K bytes) >Description: Although md5 password hashes are enabled (in login.conf, as per default), and appear to be hashing okay, password lengths over 8 characters (it would appear) are totally irrelevant. Logins are accepted regardless of any characters that follow the first 8 of the password, i.e: my login for a password of "thereisamooseontheloose" was accepted as: thereisa21398172397124761248 thereisa and any longer variations thereof. I have not been able to reproduce this on machines running 4.5-STABLE. The bug is apparent when connecting with SSH (of the stable-included version), and when connecting via FTP using ProFTPd (these are the only two services I run that use password-based auth, so I cannot confirm whether or not the bug affects other programs). All the latest security patches have been applied to the system since the release of 4.8-STABLE. >How-To-Repeat: Set yourself a password length longer than 8 characters, and try logging in with just the first 8. >Fix: None >Release-Note: >Audit-Trail: >Unformatted: