Bug#406046: [Pkg-shadow-devel] Bug#406046: Useradd: limits password to eight characters

Nicolas François nicolas.francois at centraliens.net
Mon Jan 8 19:06:42 CET 2007


tags 406046 normal
thanks

On Mon, Jan 08, 2007 at 09:13:22AM +0100, tinaweb at bestemselv.com wrote:
> Package: passwd
> Version: 1:4.0.18.1-6
> Severity: important
> 
> Wehen using useradd with an encrypted password the password is limited to eight caracters but this is not
> mentioned anywhere.
> Example: Cleartext password "testuserpass" makes encrypted password "33nGdctTISeok". The system then accept
> "testuser" as password when loging in.
> Since this is not mentioned anywhere it poses a security risk even if one uses complex password but the
> 'complexity' is after the first eight characters (which might be a word easily cracked)

How did you created the user. useradd creates the user, but do not set a
password.

Also, the encrypted password you mentioned is not an MD5 password.
(it's for example the output of `mkpasswd testuserpasssdf 33`)

I suppose your system is not MD5 enabled.
Only MD5 passwords can be longer than 8 characters.
As MD5 passwords is the default on Debian, I'm lowering the severity of
this bug.

I'm interrested in the following point:
 * How did you created the user?
 * How did you set the user's password?
 * What's your /etc/pam.d/passwd (and other included files)? In
   particular, does it contain something like:
    password   required   pam_unix.so md5

Kind Regards,
-- 
Nekral




More information about the Pkg-shadow-devel mailing list