----- Original Message -----
Sent: Saturday, April 22, 2000 8:46
AM
Subject: Re: [cobalt-users] Admin/root
password security hole
Hi Cassandra, Fathi et al
:o)
again we have the question Qube or RaQ or
what?
This thing "only the first 8 characters of the
password
are ever significant" is pretty old stuff and a
side-effect
of using the old CRYPT for password encryption.
The RaQ3 I'm using has PAM (Pluggable
Authenticication Module)
installed with MD5 encryption enabled. This is
probably the result
of an installation of a rpm called
Authen-PAM (including passwd-0.58-1
?)
- perhaps the nice guy setting up the server did that for my sane sleep.
How the Qube or other RaQs come, I don't
know.
As I didn't find any info about PAM in the Kobalt
knowledge base
it could mean, that the RaQs come initially shipped without PAM.
Wether you have PAM or not should become evident
from the
manual page for 'passwd' or from the existence of
the directory
/etc/pam.d
Or you telnet to the server and ask rpm -q Authen-PAM or such.
If you have PAM installed, you could enable MD5
encryption,
if that's not allready done by the default installation.
Michael
----- Original Message -----
Sent: Saturday, April 22, 2000 8:54
AM
Subject: Re: [cobalt-users] Admin/root password
security hole
> Cassandra,
>
> >
Tonight, my server granted me access pointblank, with only 10/14
>
characters
> > in the password entered. I was able to access
root in this manner as
> well.
> > I logged out and attempted
this several times, with several versions of my
> > password.
The server granted me access as long as I had the first eight
> >
characters.
> > Obviously, this is a gaping security hole. Has
anyone else had this
> > problem? Any solutions, other than the
obvious of having a shorter
> > password?
>
> This is
not a security hole, this is Linux. You cannot have passwords longer
>
than 8 characters -- I mean, you can, but everthing over character #8
will
> be ignored. The same applies for all user passwords, I
think.
>
> Regards,
>
Fathi