[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
RE: Password SECURITY Issue!
- From: Adrian Buxton <abuxton internal ozemail com au>
- To: "'redhat-list redhat com'" <redhat-list redhat com>
- Subject: RE: Password SECURITY Issue!
- Date: Wed, 24 Mar 1999 16:20:38 +1100
If I am correct - which I may not be :) - Linux will only look at the first
8 characters so you can have:
password: Helloiam98
and enter Helloiam & you will still be logged in 'cause the first 8
characters only count..
Adrian
-----Original Message-----
From: Daniel Foerst [mailto:bfette itas07 cpit cua edu]
Sent: Wednesday, 24 March 1999 16:18
To: redhat-list redhat com
Cc: recipient.list.not.shown
Subject: Password SECURITY Issue!
Hey all,
Came across a VERY disturbing issue recently.
I had my user account setup with a password that was 11 chars long.
1st char was a capital Letter, last 2 chars digits.
so something like this Xxxxxxxxx37.
I found out by mistake, that If I typed my password, MINUS the 37(or #s),
it STILL logged me in!
I tried this in telnet sessions, Xterm sessions, Rlogin (this is disabled,
enabled it to test this issue) etc.
Well, being very cautious, I changed my password to a 14 char
password. This time I did 39Xxxxxxxxxx39 for my password. Well, Linux was
a bit pushy with this not being a valid password, b/c it was a reversed
(almost) password of the previous, but it took.
I thought I stopped the devil. Well, now if I log in and type 39Xxxxxxxxxx
MINUS the trailing 39, I STILL can login.
This is not cool! Is there a password setup issue that I am missing?
I am running 5.2 with Kernel 2.2.1 that I just recompiled and installed.
I even made it a requirement that there be a least 1 Numerical Char in
passwords that had to be at least 6 chars long via Linuxconf.
Has anyone else had this problem? My machine is isolated from a network,
i.e. no network connection except for the times when I connect to test
network stuff.
Ideas etc all welcome, I hope I just found a security bug that is in the
works.
Thanks much,
-dan
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request redhat com with
"unsubscribe" as the Subject.
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]