From owner-freebsd-bugs@FreeBSD.ORG  Mon Jul 26 14:20:27 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1D2EB16A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 26 Jul 2004 14:20:27 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 00B4A43D1F
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 26 Jul 2004 14:20:27 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i6QEKQej058635
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 26 Jul 2004 14:20:26 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i6QEKQvk058634;
	Mon, 26 Jul 2004 14:20:26 GMT
	(envelope-from gnats)
Date: Mon, 26 Jul 2004 14:20:26 GMT
Message-Id: <200407261420.i6QEKQvk058634@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Ceri Davies <ceri@submonkey.net>
Subject: [tradigan@newrevolutions.net: RE: misc/69596: When logging in or
	su'ing to root, I noticed that if you type the correct password but
	add characters to the end of the correct password, the password
	still passes validation and allows you to login]Reply-To: Ceri
	Davies <ceri@submonkey.net>
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2004 14:20:27 -0000

The following reply was made to PR misc/69596; it has been noted by GNATS.

From: Ceri Davies <ceri@submonkey.net>
To: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org>
Cc:  
Subject: [tradigan@newrevolutions.net: RE: misc/69596: When logging in or su'ing to root, I noticed that if you type the correct password but add characters to the end of the correct password, the password still passes validation and allows you to login]Date: Mon, 26 Jul 2004 15:11:32 +0100

 Message-ID: <20040726141132.GE24947@submonkey.net>
 Mail-Followup-To: Ceri Davies <ceri@submonkey.net>,
 	FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org>
 Mime-Version: 1.0
 Content-Type: multipart/mixed; boundary="hxkXGo8AKqTJ+9QI"
 Content-Disposition: inline
 X-PGP: finger ceri@FreeBSD.org
 User-Agent: Mutt/1.5.6i
 Sender: Ceri Davies <setantae@submonkey.net>
 
 
 --hxkXGo8AKqTJ+9QI
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Adding to audit trail.
 
 --hxkXGo8AKqTJ+9QI
 Content-Type: message/rfc822
 Content-Disposition: inline
 
 Return-path: <tradigan@newrevolutions.net>
 Envelope-to: ceri@submonkey.net
 Delivery-date: Mon, 26 Jul 2004 13:50:21 +0100
 Received: from ns1.flncs.com ([204.0.142.254] helo=beastie.flncs.com)
 	by shrike.submonkey.net with smtp (Exim 4.41 (FreeBSD))
 	id 1Bp4vn-0002FE-82
 	for ceri@submonkey.net; Mon, 26 Jul 2004 13:50:21 +0100
 Received: (qmail 26593 invoked by uid 89); 26 Jul 2004 11:55:01 -0000
 Received: from h-66-166-153-84.phlapafg.covad.net (HELO l03ptradigan) (tradigan@newrevolutions.net@66.166.153.84)
   by beastie.flncs.com with SMTP; 26 Jul 2004 11:55:01 -0000
 From: "Timothy Radigan" <tradigan@newrevolutions.net>
 To: "Ceri Davies" <ceri@submonkey.net>
 Subject: RE: misc/69596: When logging in or su'ing to root, I noticed that if you type the correct password but add characters to the end of the correct password, the password still passes validation and allows you to login
 Date: Mon, 26 Jul 2004 08:50:06 -0400
 Message-ID: <ALEJJLKJDNFOODLHIENAOEDHCAAA.tradigan@newrevolutions.net>
 MIME-Version: 1.0
 Content-Type: text/plain;
 	charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 X-Priority: 3 (Normal)
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
 In-Reply-To: <20040726121455.GD24947@submonkey.net>
 Importance: Normal
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
 X-Spam-Level: 
 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on 
 	shrike.private.submonkey.net
 X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
 	version=2.63
 
 Indeed.  Man I feel dumb.  I didn't even put the two together.  Thanks for
 bringing that to my attention.
 
 -----Original Message-----
 From: Ceri Davies [mailto:setantae@submonkey.net]On Behalf Of Ceri
 Davies
 Sent: Monday, July 26, 2004 8:15 AM
 To: Timothy Radigan
 Cc: freebsd-gnats-submit@FreeBSD.org
 Subject: Re: misc/69596: When logging in or su'ing to root, I noticed
 that if you type the correct password but add characters to the end of
 the correct password, the password still passes validation and allows
 you to login
 
 
 On Sun, Jul 25, 2004 at 11:01:06PM +0000, Timothy Radigan wrote:
 
 > Log in using an account, type the correct password and a few extra
 > characters after the correct password and try to log in.  You will
 > be validated and access is granted.
 
 At a guess, I'd say that you are using DES encrypted passwords, and your
 password (after appending the extra characters) is more than 8 characters
 long.  This is a common limitation with DES.
 
 Ceri
 --
 It is not tinfoil, it is my new skin.  I am a robot.
 
 
 --hxkXGo8AKqTJ+9QI--