Bug#406046: [Pkg-shadow-devel] Bug#406046: Useradd: limits password
to eight characters
Nicolas François
nicolas.francois at centraliens.net
Mon Jan 8 19:06:42 CET 2007
tags 406046 normal
thanks
On Mon, Jan 08, 2007 at 09:13:22AM +0100, tinaweb at bestemselv.com wrote:
> Package: passwd
> Version: 1:4.0.18.1-6
> Severity: important
>
> Wehen using useradd with an encrypted password the password is limited to eight caracters but this is not
> mentioned anywhere.
> Example: Cleartext password "testuserpass" makes encrypted password "33nGdctTISeok". The system then accept
> "testuser" as password when loging in.
> Since this is not mentioned anywhere it poses a security risk even if one uses complex password but the
> 'complexity' is after the first eight characters (which might be a word easily cracked)
How did you created the user. useradd creates the user, but do not set a
password.
Also, the encrypted password you mentioned is not an MD5 password.
(it's for example the output of `mkpasswd testuserpasssdf 33`)
I suppose your system is not MD5 enabled.
Only MD5 passwords can be longer than 8 characters.
As MD5 passwords is the default on Debian, I'm lowering the severity of
this bug.
I'm interrested in the following point:
* How did you created the user?
* How did you set the user's password?
* What's your /etc/pam.d/passwd (and other included files)? In
particular, does it contain something like:
password required pam_unix.so md5
Kind Regards,
--
Nekral
More information about the Pkg-shadow-devel
mailing list