password bug!

1 view
Skip to first unread message

clive keough

unread,
Apr 12, 1999, 3:00:00 AM4/12/99
to
Hi,

Although I've never seen it posted. Is it well known that only the
first 8 characters of the password count on SCO openserver. It doesn't
just occur on one machine or one version here either. I wasn't aware
that this was a problem/bug and I've not seen it written elsewhere.

Thought please.

Clive

-**** Posted from RemarQ, http://www.remarq.com/?b ****-
Real Discussions for Real People

Jean-Pierre Radley

unread,
Apr 12, 1999, 3:00:00 AM4/12/99
to
clive keough averred (on Mon, Apr 12, 1999 at 08:14:05AM -0800):

|
| Although I've never seen it posted. Is it well known that only the
| first 8 characters of the password count on SCO openserver. It doesn't
| just occur on one machine or one version here either. I wasn't aware
| that this was a problem/bug and I've not seen it written elsewhere.
|

This may only be the case for tradional or low security models.
See TA 108103.


--
Jean-Pierre Radley <j...@jpr.com> XC/XT Custodian Sysop, CompuServe SCOForum

Kevin W. Reed

unread,
Apr 12, 1999, 3:00:00 AM4/12/99
to
That is true of most Unix platforms. Some can be changed to use
longer passwords, some cannot.

clive...@yahoo.com (clive keough) writes:

>Hi,


>
>Although I've never seen it posted. Is it well known that only the
>first 8 characters of the password count on SCO openserver. It doesn't
>just occur on one machine or one version here either. I wasn't aware
>that this was a problem/bug and I've not seen it written elsewhere.
>

>Thought please.
>
>Clive

--
Kevin W. Reed - Voice 602-647-7121 TNET Services - MAILBOT.COM

Bill Walker

unread,
Apr 12, 1999, 3:00:00 AM4/12/99
to

> clive...@yahoo.com (clive keough) writes:


This proves little, but costs nothing:


73 de Bill W5GFE

--------------------------------------------------
#!/usr/local/bin/perl


my @list = (
'fuddy',
'fuddy ',
'fuddy s',
'fuddy sn',
'fuddy sna',
'fuddy snar',
'fuddy snark',
'fuddy snark cat',
'fuddy snark cat loaded',
'fuddy snark cat loaded with',
);


printf("%-30s %s %6s %15s\n","plain","salt","length","encryption");


$salt="AB";

foreach my $plaintext ( @list ) {
$cyphertext=crypt($plaintext,$salt);
printf("%-30s %s %6d %15s\n",$plaintext,$salt,length($plaintext),$cyphertext);
}


Kevin Smith

unread,
Apr 12, 1999, 3:00:00 AM4/12/99
to
In article <1999041213...@jpradley.jpr.com> Jean-Pierre Radley <j...@jpr.com> writes:
>clive keough averred (on Mon, Apr 12, 1999 at 08:14:05AM -0800):
>|
>| Although I've never seen it posted. Is it well known that only the
>| first 8 characters of the password count on SCO openserver. It doesn't
>| just occur on one machine or one version here either. I wasn't aware
>| that this was a problem/bug and I've not seen it written elsewhere.
>|
>
>This may only be the case for tradional or low security models.
>See TA 108103.

C2 security is a minimum of eight. Don't know the maximum. This is
of interest because it caused a great deal of confusion trying to get
visionfs working. Windoze only sends upto to eight characters of your
password. The result is you can't connect to visionfs if your password
isn't exactly eight characters (with c2 security).
--
Do two rights make | Kevin Smith, ShadeTree Software, Philadelpha, PA, USA
a libertarian | 001-215-487-3811 shady.com,kevin bbs.cpcn.com,sysop

Frederico Fonseca

unread,
Apr 12, 1999, 3:00:00 AM4/12/99
to
On 12 Apr 1999 20:11:31 GMT, Bill Walker <b...@cs3.ecok.EDU> wrote:

>Kevin W. Reed <kr...@telesys.tnet.com> wrote:
>> That is true of most Unix platforms. Some can be changed to use
>> longer passwords, some cannot.
>
>> clive...@yahoo.com (clive keough) writes:
>
>>>Hi,
>>>

>>>Although I've never seen it posted. Is it well known that only the
>>>first 8 characters of the password count on SCO openserver. It doesn't
>>>just occur on one machine or one version here either. I wasn't aware

But the password lengh on OpenServer CAN be changed.
Just need to read the online man pages properly.

FF

John DuBois

unread,
Apr 13, 1999, 3:00:00 AM4/13/99
to
In article <j0pQ2.22087$LX.8581155@WReNphoon3>,

clive keough <clive...@yahoo.com> wrote:
>Although I've never seen it posted. Is it well known that only the
>first 8 characters of the password count on SCO openserver. It doesn't
>just occur on one machine or one version here either. I wasn't aware
>that this was a problem/bug and I've not seen it written elsewhere.

Only the first 8 characters count *by default*. It's easy to change. The part
of a password that is significant is set in "segments" of 8 characters. To
e.g. increase the significant length to 32 characters, do (on a 5.0 system):

usermod -D -x '{passwdSignificantSegments 4}'

MAJOR caveat:
Only the significant part of a password is stored, AND only the significant
part is compared. So, if you have the significant segments set to 1, you may
have users using >8-character passwords; the password routines just ignore the
extra characters. But when you increase the significant segments beyond 1,
suddenly all those users will not be able to log in... because now more than
8 characters of the password they enter are being compared against the 8
characters stored in the password database. I learned this the hard way when
I bumped segments up from 1 to 4 shortly after moving from XENIX to UNIX.
The solution was to put a notice in /etc/issue. These days you'd do better
to put it in BANNER in /etc/default/issue.

John
--
John DuBois spc...@armory.com. KC6QKZ http://www.armory.com./~spcecdt/

Bill Vermillion

unread,
Apr 13, 1999, 3:00:00 AM4/13/99
to
In article <92396553...@news.remarQ.com>,
John DuBois <spc...@deeptht.armory.com.> wrote:

John just a minor 'nit' here. I hope you don't think I'm too picky.

>MAJOR caveat: Only the significant part of a password is stored,
>AND only the significant part is compared.

Only the significant part of password is used to generate the
encrypted string written to disk, since passwords are not stored.

>I learned this the hard way when I bumped segments up from 1 to 4
>shortly after moving from XENIX to UNIX. The solution was to put
>a notice in /etc/issue. These days you'd do better to put it in
>BANNER in /etc/default/issue.

Now how do you get people to actually READ the banners :-)
--
Bill Vermillion bv @ wjv.com

Reply all
Reply to author
Forward
0 new messages