Public bug reported:
If you look in debian/patches-applied/007_modules_pam_unix
There is a bit of code that checks if the first 8 characters of a password are
the same
pasted below. It ignores this check for hashing algorithms which have infinite
password length eg MD5.
This bit of code needs to also include for SHA256 and SHA512 as
algorithms to skip this check for
+>--/* The traditional crypt() truncates passwords to 8 chars. It is
+>-- possible to circumvent the above checks by choosing an easy
+>-- 8-char password and adding some random characters to it...
+>-- Example: "password$%^&*123". So check it again, this time
+>-- truncated to the maximum length. Idea from npasswd. --marekm */
+
+>--if (on(UNIX_MD5_PASS,ctrl) || on(UNIX_BIGCRYPT,ctrl))
+>-->---return NULL; /* unlimited password length */
+
+>--if (oldlen <= 8 && newlen <= 8)
+>-->---return NULL;
+
+>--new1 = strndup(new,8);
+>--old1 = strndup(old,8);
** Affects: pam (Ubuntu)
Importance: Undecided
Status: New
--
Same password check fails for long passwords when using SHA512
https://bugs.launchpad.net/bugs/549915
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
