Public bug reported: If you look in debian/patches-applied/007_modules_pam_unix
There is a bit of code that checks if the first 8 characters of a password are the same pasted below. It ignores this check for hashing algorithms which have infinite password length eg MD5. This bit of code needs to also include for SHA256 and SHA512 as algorithms to skip this check for +>--/* The traditional crypt() truncates passwords to 8 chars. It is +>-- possible to circumvent the above checks by choosing an easy +>-- 8-char password and adding some random characters to it... +>-- Example: "password$%^&*123". So check it again, this time +>-- truncated to the maximum length. Idea from npasswd. --marekm */ + +>--if (on(UNIX_MD5_PASS,ctrl) || on(UNIX_BIGCRYPT,ctrl)) +>-->---return NULL; /* unlimited password length */ + +>--if (oldlen <= 8 && newlen <= 8) +>-->---return NULL; + +>--new1 = strndup(new,8); +>--old1 = strndup(old,8); ** Affects: pam (Ubuntu) Importance: Undecided Status: New -- Same password check fails for long passwords when using SHA512 https://bugs.launchpad.net/bugs/549915 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs