Re: [cobalt-users] Admin/root password security hole

[Chris Adams <cmadams@xxxxxxxxxx>]

Once upon a time, Fathi Said <fathi@xxxxxx> said:
> > Tonight, my server granted me access pointblank, with only 10/14
> characters
> > in the password entered.  I was able to access root in this manner as
> well.
> > I logged out and attempted this several times, with several versions of my
> > password.  The server granted me access as long as I had the first eight
> > characters.
> > Obviously, this is a gaping security hole.  Has anyone else had this
> > problem?  Any solutions, other than the obvious of having a shorter
> > password?
> 
> This is not a security hole, this is Linux. You cannot have passwords longer
> than 8 characters -- I mean, you can, but everthing over character #8 will
> be ignored. The same applies for all user passwords, I think.

This isn't a Linux limitation, it is a Cobalt limitation.  The original
Unix password encryption method used 56 bit DES (8 chars * 7 bits/char =
56 bits).  Everything after 8 characters is silently ignored.  Some
platforms (Linux and FreeBSD I know) now use MD5 hashes for passwords,
which can easily support up to 128 characters.  I have been using long
passwords under Linux since Red Hat 4.x.  I don't know why Cobalt
doesn't support them.

If you change your password from a shell prompt on a Cobalt, I believe
it uses MD5 by default on the RaQ2 and RaQ3.  But some other parts of
the system don't use the system library functions for password checking
(they reimplement it I guess, which is really dumb), so some things will
break if you do it this way.
-- 
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.