From nobody@FreeBSD.org  Mon May  1 23:11:46 2000
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 5C9A937B72A
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  1 May 2000 23:11:46 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id XAA62698;
	Mon, 1 May 2000 23:11:46 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Message-Id: <200005020611.XAA62698@freefall.freebsd.org>
Date: Mon, 1 May 2000 23:11:46 -0700 (PDT)
From: sherwin@newpagcor.com
Sender: nobody@FreeBSD.org
To: freebsd-gnats-submit@FreeBSD.org
Subject: Password during Login
X-Send-Pr-Version: www-1.0

>Number:         18339
>Category:       i386
>Synopsis:       Password during Login
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon May  1 23:20:00 PDT 2000
>Closed-Date:    Wed May 3 06:26:20 PDT 2000
>Last-Modified:  Wed May  3 06:27:22 PDT 2000
>Originator:     Ross Sherwin de Claro
>Release:        4.0-RELEASE
>Organization:
Philippine Amusement and Gaming Corporation
>Environment:
FreeBSD kapre.newpagcor.com 4.0-RELEASE FreeBSD 4.0-RELEASE #1: Tue May  2 13:37:51 PHT 2000     sherwin@kapre.newpagcor.com:/usr/src/sys/compile/KAPRE  i386
>Description:
I found out that during login phase, FreeBSD does not check the password if its longer than the stored password of the user against the inputed one. 
>How-To-Repeat:
Try to login, root or even ordinary user:

Now in our case the password of root is "qwerty12"

Try entering this passwords:

-password-      -result-
qwerty           invalid
qwery12          invalid
qwerty12         valid
qwerty1234       valid, but its supposed to be invalid

>Fix:
Re-configure the algorithm on how FreeBSD check the Password against its database.

>Release-Note:
>Audit-Trail:

From: Brooks Davis <brooks@one-eyed-alien.net>
To: sherwin@newpagcor.com
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: i386/18339: Password during Login
Date: Tue, 2 May 2000 11:38:13 -0700

 On Mon, May 01, 2000 at 11:11:46PM -0700, sherwin@newpagcor.com wrote:
 > 
 > I found out that during login phase, FreeBSD does not check the
 > password if its longer than the stored password of the user against the
 > inputed one. 
 
 This is a misstatement of the "problem".  What is happening is that with
 the standard DES based UNIX password scheme, only the first 8 characters
 of the password are significant.  What is happening is that there is no
 difference between "qwerty12" and "qwerty1234" because "qwerty1234" is
 truncated to "qwerty12".  While this behavior may not be ideal in
 general, it is the correct behavior in that all UNIX and UNIX-like
 systems have the same behavior.  Changing the password system to reject
 all passwords greater than 8 characters when using DES hashing would
 "fix" the problem, but would add no real security and would cause great
 confusion by changing years of standard behavior.
 
 I would recommend closing this PR.
 
 -- Brooks
 
 -- 
 Any statement of the form "X is the one, true Y" is FALSE.
 
State-Changed-From-To: open->closed 
State-Changed-By: sheldonh 
State-Changed-When: Wed May 3 06:26:20 PDT 2000 
State-Changed-Why:  
Behaviour explained by Brooks; see the Handbook for more information. 
>Unformatted:
