Package: vsftpd
Version: 2.3.5-3
Severity: normal
With the Debian package version of /etc/vsftpd.conf.
The only change I did was to uncomment:
local_enable=YES
Then local users with a password >128 characters long will "silently" (I
am quite sure within vsftpd) fail to login.
"silently", because there is no PAM error message in /etc/auth.log
and in /var/log/vsftpd.log you'll see:
Sun Nov 3 20:53:58 2013 [pid 1] [ftptest] FAIL LOGIN: Client
"192.168.192.168"
But without any explanation why... which is quite confusing, because
everything seems ok ;)
(no PAM error message makes sense, because Debian these days (I think
since it switched hashing in /etc/shadow) has no problems handling
passwords of I think up to 512 characters (I tried 384 and that works fine))
Ideally it would be nice to make vsftpd consistent with Debian and being
able to handle longer passwords than 128chars...
In any case I would suggest adding a warning about that to README.DEBIAN.
Tormen.
P.S.: As passwords these days often come from a safe password storage it
seems more interesting to use longer (even really long passwords) to
just make any sort of dictionary attack impossible.
... but of course certificates in combination with a password would be
best to ensure security :)
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
