Package: vsftpd Version: 2.3.5-3 Severity: normal With the Debian package version of /etc/vsftpd.conf. The only change I did was to uncomment: local_enable=YES
Then local users with a password >128 characters long will "silently" (I am quite sure within vsftpd) fail to login. "silently", because there is no PAM error message in /etc/auth.log and in /var/log/vsftpd.log you'll see: Sun Nov 3 20:53:58 2013 [pid 1] [ftptest] FAIL LOGIN: Client "192.168.192.168" But without any explanation why... which is quite confusing, because everything seems ok ;) (no PAM error message makes sense, because Debian these days (I think since it switched hashing in /etc/shadow) has no problems handling passwords of I think up to 512 characters (I tried 384 and that works fine)) Ideally it would be nice to make vsftpd consistent with Debian and being able to handle longer passwords than 128chars... In any case I would suggest adding a warning about that to README.DEBIAN. Tormen. P.S.: As passwords these days often come from a safe password storage it seems more interesting to use longer (even really long passwords) to just make any sort of dictionary attack impossible. ... but of course certificates in combination with a password would be best to ensure security :) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org