[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Admin/root password security hole

Subject: Re: [cobalt-users] Admin/root password security hole
From: "Michael Zimmermann" <zim@xxxxxxxx>
Date: Sat Apr 22 08:45:20 2000

Hi Cassandra, Fathi et al :o)

again we have the question Qube or RaQ or what?

This thing "only the first 8 characters of the password

are ever significant" is pretty old stuff and a side-effect

of using the old CRYPT for password encryption.

The RaQ3 I'm using has PAM (Pluggable Authenticication Module)

installed with MD5 encryption enabled. This is probably the result

of an installation of a rpm called Authen-PAM (including passwd-0.58-1 ?)

- perhaps the nice guy setting up the server did that for my sane sleep.

How the Qube or other RaQs come, I don't know.

As I didn't find any info about PAM in the Kobalt knowledge base

it could mean, that the RaQs come initially shipped without PAM.

Wether you have PAM or not should become evident from the

manual page for 'passwd' or from the existence of the directory

/etc/pam.d

Or you telnet to the server and ask rpm -q Authen-PAM or such.

If you have PAM installed, you could enable MD5 encryption,

if that's not allready done by the default installation.

Michael

----- Original Message -----

From: "Fathi Said" <fathi@xxxxxx>

To: <cobalt-users@xxxxxxxxxxxxxxx>

Sent: Saturday, April 22, 2000 8:54 AM

Subject: Re: [cobalt-users] Admin/root password security hole

> Cassandra,
>
> > Tonight, my server granted me access pointblank, with only 10/14
> characters
> > in the password entered. I was able to access root in this manner as
> well.
> > I logged out and attempted this several times, with several versions of my
> > password. The server granted me access as long as I had the first eight
> > characters.
> > Obviously, this is a gaping security hole. Has anyone else had this
> > problem? Any solutions, other than the obvious of having a shorter
> > password?
>
> This is not a security hole, this is Linux. You cannot have passwords longer
> than 8 characters -- I mean, you can, but everthing over character #8 will
> be ignored. The same applies for all user passwords, I think.
>
> Regards,
> Fathi

Follow-Ups:
- Re: [cobalt-users] Admin/root password security hole
  - From: Rickard Osser
- Re: [cobalt-users] Admin/root password security hole
  - From: RHLinux

References:
- [cobalt-users] Admin/root password security hole
  - From: connected
- Re: [cobalt-users] Admin/root password security hole
  - From: Fathi Said

Prev by Date: [cobalt-users] Stats Question
Next by Date: R: [cobalt-users] How do I create the .htaccess?
Previous by thread: Re: [cobalt-users] Admin/root password security hole
Next by thread: Re: [cobalt-users] Admin/root password security hole

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index