[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Admin/root password security hole

Subject: Re: [cobalt-users] Admin/root password security hole
From: Rickard Osser <ricky@xxxxxxxx>
Date: Sat Apr 22 09:53:37 2000

Hi Michael,

the md5 encryption is new from RedHat 6.x which Cobalt RaQ3 is built
upon...

The only thing we have to do is update to the glibc/pam/passwd and all the
other stuff redhat has updated for the x86-platform for Cobalt and port
them to MIPS (NOT!)...

It's quite a big deal, I'm sorry to say. It's doable, but makes no real
sense today...

Best regards,

Rickard Osser
Manager
Osser Brosoft AB		Distributor of Cobalt Networks servers
Maria Bangata 6			Computer Consultants
S-118 63 Stockholm, Sweden	Networking, DOS/Win/Mac/Linux/Unix
Tel: +46-8-798 29 27		E-mail: ricky@xxxxxxxx
Fax: +46-8-668 89 10		WWW: http://www.brosoft.net

On Sat, 22 Apr 2000, Michael Zimmermann wrote:

> Hi Cassandra, Fathi et al   :o)
> 
> again we have the question Qube or RaQ or what?
> 
> This thing "only the first 8 characters of the password
> are ever significant" is pretty old stuff and a side-effect
> of using the old CRYPT for password encryption. 
> 
> The RaQ3 I'm using has PAM (Pluggable Authenticication Module)
> installed with MD5 encryption enabled. This is probably the result
> of an installation of a rpm called Authen-PAM (including passwd-0.58-1 ?)
> - perhaps the nice guy setting up the server did that for my sane sleep. 
> How the Qube or other RaQs come, I don't know.
> As I didn't find any info about PAM in the Kobalt knowledge base 
> it could mean, that the RaQs come initially shipped without PAM.
> 
> Wether you have PAM or not should become evident from the
> manual page for 'passwd' or from the existence of the directory
> 
>         /etc/pam.d
> 
> Or you telnet to the server and ask   rpm -q Authen-PAM   or such.
> 
> If you have PAM installed, you could enable MD5 encryption, 
> if that's not allready done by the default installation.
> 
> 
> Michael
> 
> 
> ----- Original Message ----- 
> From: "Fathi Said" <fathi@xxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Saturday, April 22, 2000 8:54 AM
> Subject: Re: [cobalt-users] Admin/root password security hole
> 
> 
> > Cassandra,
> > 
> > > Tonight, my server granted me access pointblank, with only 10/14
> > characters
> > > in the password entered.  I was able to access root in this manner as
> > well.
> > > I logged out and attempted this several times, with several versions of my
> > > password.  The server granted me access as long as I had the first eight
> > > characters.
> > > Obviously, this is a gaping security hole.  Has anyone else had this
> > > problem?  Any solutions, other than the obvious of having a shorter
> > > password?
> > 
> > This is not a security hole, this is Linux. You cannot have passwords longer
> > than 8 characters -- I mean, you can, but everthing over character #8 will
> > be ignored. The same applies for all user passwords, I think.
> > 
> > Regards,
> > Fathi
> 
>

References:
- Re: [cobalt-users] Admin/root password security hole
  - From: Michael Zimmermann

Prev by Date: [cobalt-users] .htaccess logging question
Next by Date: [cobalt-users] Webalizer RAQ3
Previous by thread: Re: [cobalt-users] Admin/root password security hole
Next by thread: Re: [cobalt-users] Admin/root password security hole

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index