> this morning i started opensolaris, but i > accidentally typed the wrong password. however i was > able to login, not believing it, i logged out and > typed another password, and i still could log in! > Seems that as long as the length of the password is > the same as the true password, the system will let > you in... > I'm typing this post from a login with a bogus > password. > > How can this be solved?
If the alternatives are the same for the first eight characters as the correct password, then the system is using the traditional Unix password hashing method, which ignores everything after the first eight characters. See policy.conf(4) to change the preferred method to one that supports longer passwords. This is not a bug, it's backwards compatibility in case of e.g. really old NIS clients or the like. See also crypt.conf(4). If the alternatives are different in the first eight characters, that is definitely (IMO) a problem, and if that's the out of the box behavior with a vanilla install, it's a very serious problem at that. -- This message posted from opensolaris.org
