From owner-freebsd-questions  Mon Apr  3 22:26:29 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from rjk191.rh.psu.edu (RJK191.rh.psu.edu [128.118.193.182])
	by hub.freebsd.org (Postfix) with ESMTP id 0D35637B616
	for <freebsd-questions@freebsd.org>; Mon,  3 Apr 2000 22:26:26 -0700 (PDT)
	(envelope-from ray@rjk191.rh.psu.edu)
Received: (from ray@localhost)
	by rjk191.rh.psu.edu (8.9.3/8.9.3) id BAA00648;
	Tue, 4 Apr 2000 01:26:07 -0400 (EDT)
	(envelope-from ray)
Date: Tue, 4 Apr 2000 01:26:07 -0400
From: Ray Kohler <ray@rjk191.rh.psu.edu>
To: Bhishan Hemrajani <bhishan@cytosine.dhs.org>
Cc: freebsd-questions@freebsd.org
Subject: Re: only 8 chars of password needed to login
Message-ID: <20000404012607.A623@rjk191.rh.psu.edu>
Reply-To: rjk191@psu.edu
References: <200004040448.e344mDn01205@cytosine.dhs.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <200004040448.e344mDn01205@cytosine.dhs.org>; from bhishan@cytosine.dhs.org on Mon, Apr 03, 2000 at 09:48:13PM -0700
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, Apr 03, 2000 at 09:48:13PM -0700, Bhishan Hemrajani wrote:
> I have a problem with user's passwords on my
> system. I'm not sure if it is an error in my
> setting up FreeBSD, or a security hole.
> 
> What happens is, I set a password for a user
> that is 10chars long. But, when I login, I can
> just enter 8chars and anything after that, or just
> the 8chars and it will let me log in.

The reason for this is that you are using DES passwords. The 8
character limit is a function of that system. If you want to fix it,
do this: Use vipw (as root) to open /etc/passwd. For each account
that you want to fix, add the string "$1$" to the beginning to the
encrypted password string. Quit vipw, and then run passwd to set the
right password for each user you changed. The reason this works is
that the crypt library searches for the string "$1$" at the
beginning of the password to figure out if it is md5. Once you put
it there once, the system will preserve it, thus allowing you to use
md5 passwords (which can be longer than 8 characters).

-- 
Ray Kohler <rjk191@psu.edu>
When you're not looking at it, this fortune is written in FORTRAN.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message