> It seems that su accepts valid password (unix) more than 8 characters. But > it just reads first 8 chars and authenticates if the user name and first 8 > chars of the password is a valid user account. My colleguge has detected it.
I did not look at the code but I do not believe that su is truncating the password. I believe it is handing it to the system for authentification and the system is only looking at the first 8 characters. That has been the typical behavior. That way if the system is really configured to use long passwords and md5 crypt it all still works. Perhaps someone else will now look at the code and state that I am wrong which would be great. > Bug Input: > 1. Valid unix usr account: > > login: <root> > pwd: <password> > 2. Bug simulation: > enter cmd su: > Enter login: <root> > Enter pwd: <passwordbuggysu> > util. su will authenticate you successfully. It is a bug, isn't it? But try > to logon to a unix/linux terminal, it will throw you out:-)) We tested it > with Linux 2.4.10. Probably the login program is blocking you if you enter more than eight characters regardless of what they are. But that makes no sense to me either. On my systems I can definitely have a password that is exactly 8 characters long and I can log into the system by typing in the valid password followed by garbage at the end. I just tested it. But that is on an old style 8 char limited password system running NIS. But most modern systems allow longer passwords to be used with shadow passwords and better encryption. > We hope that the bug will be fixed in the next release. > > Regards, > > Unix users Bob _______________________________________________ Bug-sh-utils mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/bug-sh-utils