From owner-freebsd-security  Mon Oct  4 12: 4:23 1999
Delivered-To: freebsd-security@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 758)
	id 9BD371551C; Mon,  4 Oct 1999 12:03:39 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8F9EE1CD473; Mon,  4 Oct 1999 12:03:39 -0700 (PDT)
	(envelope-from kris@hub.freebsd.org)
Date: Mon, 4 Oct 1999 12:03:39 -0700 (PDT)
From: Kris Kennaway <kris@hub.freebsd.org>
To: Mike Tancsa <mike@sentex.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Long username/password
In-Reply-To: <3.0.5.32.19991004144542.010443b0@staff.sentex.ca>
Message-ID: <Pine.BSF.4.10.9910041158280.83141-100000@hub.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 4 Oct 1999, Mike Tancsa wrote:

> >Don't install the DES libcrypt libraries; DES passwords are 8 characters,
> >MD5 are (effectively) infinite. Long user names are already supported, I
> >do believe.
> 
> Infinite ?  I thought they only honoured the first 16 chars in this case ?

Well, I wasn't quite correct here.

PASSWORD_LEN = 128

MD5 (i.e. crypt() if you don't have the DES libraries, or you're using my
libcrypt replacement) just does a hash over whatever string is presented
to it, which passwd(1) limits to a max of PASSWORD_LEN characters. crypt()
can deal with effectively infinite passwords, but passwd(1) puts a wrapper
around it.

Kris




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message