From chris@toast.invisilogic.net  Sun May 18 03:35:15 2003
Return-Path: <chris@toast.invisilogic.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0B31437B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 18 May 2003 03:35:15 -0700 (PDT)
Received: from toast.invisilogic.net (toast.invisilogic.net [193.201.71.130])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 676E243FAF
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 18 May 2003 03:35:14 -0700 (PDT)
	(envelope-from chris@toast.invisilogic.net)
Received: from localhost.invisilogic.net ([127.0.0.1] helo=toast.invisilogic.net)
	by toast.invisilogic.net with esmtp (Exim 3.36 #1)
	id 19HLVN-000DIi-00
	for FreeBSD-gnats-submit@freebsd.org; Sun, 18 May 2003 11:35:01 +0100
Received: (from chris@localhost)
	by toast.invisilogic.net (8.12.8p1/8.12.8/Submit) id h4IAZ0NX051128;
	Sun, 18 May 2003 11:35:00 +0100 (BST)
Message-Id: <200305181035.h4IAZ0NX051128@toast.invisilogic.net>
Date: Sun, 18 May 2003 11:35:00 +0100 (BST)
From: Chris Lewis <chris@digitalwaffle.net>
Reply-To: Chris Lewis <chris@digitalwaffle.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Password lengths over 8 chracters are ignored
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         52392
>Category:       i386
>Synopsis:       Password lengths over 8 chracters are ignored
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-i386
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 18 03:40:13 PDT 2003
>Closed-Date:    Thu Jan 22 17:12:59 PST 2004
>Last-Modified:  Thu Jan 22 17:12:59 PST 2004
>Originator:     Chris Lewis
>Release:        FreeBSD 4.8-STABLE i386
>Organization:
None
>Environment:
System: FreeBSD toast.invisilogic.net 4.8-STABLE FreeBSD 4.8-STABLE #2: Mon May 5 21:03:22 BST 2003 root@toast.invisilogic.net:/usr/src/sys/compile/TOAST i386


VIA EPIA Mini-ITX, 800MHz
CPU: VIA C3 Samuel 2 (800.03-MHz 686-class CPU)
  Origin = "CentaurHauls"  Id = 0x673  Stepping = 3
  Features=0x803035<FPU,DE,TSC,MSR,MTRR,PGE,MMX>
real memory  = 266338304 (260096K bytes)
avail memory = 253939712 (247988K bytes)

>Description:
Although md5 password hashes are enabled (in login.conf, as per default), and appear to be hashing okay, password lengths over 8 characters (it would appear) are totally irrelevant.

Logins are accepted regardless of any characters that follow the first 8 of the password, i.e:

my login for a password of "thereisamooseontheloose" was accepted as:
thereisa21398172397124761248
thereisa

and any longer variations thereof.

I have not been able to reproduce this on machines running 4.5-STABLE. The bug is apparent when connecting with SSH (of the stable-included version), and when connecting via FTP using ProFTPd (these are the only two services I run that use password-based auth, so I cannot confirm whether or not the bug affects other programs).

All the latest security patches have been applied to the system since the release of 4.8-STABLE.

>How-To-Repeat:
Set yourself a password length longer than 8 characters, and try logging in with just the first 8.

>Fix:
None
>Release-Note:
>Audit-Trail:

From: Chris Lewis <chris@digitalwaffle.net>
To: freebsd-gnats-submit@FreeBSD.org, chris@digitalwaffle.net
Cc:  
Subject: Re: i386/52392: Password lengths over 8 chracters are ignored
Date: Sun, 18 May 2003 11:44:29 +0100

 Sorry guys,
 
 It would appear the problem is not with the FreeBSD core, but instead with 
 /usr/bin/adduser, which I used to set my test user's password initially, 
 the problem did not apply to passwords changed later (as they should be) 
 with "passwd".
 
 The issue is, therefore, with adduser - but I don't know how relevant it is 
 considering users should change their passwords anyway after being added. :)
 
 Regards,
 
 --
 Chris Lewis [boff]
 
 Encryption is mathematical warfare.
 Mathematics is the universal language.
 Encryption is secrecy.
 Secrecy is a declaration of war.
 

From: "Simon L. Nielsen" <simon@nitro.dk>
To: Chris Lewis <chris@digitalwaffle.net>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: i386/52392: Password lengths over 8 chracters are ignored
Date: Sun, 18 May 2003 12:57:20 +0200

 --LZvS9be/3tNcYl/X
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On 2003.05.18 03:50:11 -0700, Chris Lewis wrote:
 
 >  It would appear the problem is not with the FreeBSD core, but instead wi=
 th=20
 >  /usr/bin/adduser, which I used to set my test user's password initially,=
 =20
 >  the problem did not apply to passwords changed later (as they should be)=
 =20
 >  with "passwd".
 > =20
 >  The issue is, therefore, with adduser - but I don't know how relevant it=
  is=20
 >  considering users should change their passwords anyway after being added=
 =2E :)
 
 I think the problem is that adduser uses DES passwords by default even
 when you have set MD5 e.g. in login.conf.  This has been discussed a few
 times before, but I can't remember the reason for this.  Try searching
 the mailling list archives.
 
 --=20
 Simon L. Nielsen
 
 --LZvS9be/3tNcYl/X
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.1 (FreeBSD)
 
 iD8DBQE+x2cQ8kocFXgPTRwRAkDrAJ4vXngof5PbPCvO60MtuOHGAr9XTQCguCer
 BKYnc0h5UAgUN5viSCfTpsU=
 =6VLy
 -----END PGP SIGNATURE-----
 
 --LZvS9be/3tNcYl/X--

From: Chris Lewis <chris@digitalwaffle.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: i386/52392: Password lengths over 8 chracters are ignored
Date: Sun, 18 May 2003 12:26:59 +0100

 At 11:57 18/05/2003, Simon L. Nielsen wrote:
 >I think the problem is that adduser uses DES passwords by default even
 >when you have set MD5 e.g. in login.conf.  This has been discussed a few
 >times before, but I can't remember the reason for this.  Try searching
 >the mailling list archives.
 
 Agreed - /usr/sbin/adduser calls the Perl function crypt() which is simply 
 DES... d'oh.
 
 Might as well considered this bug closed.
 
 Regards,
 
 --
 Chris Lewis [boff]
 
 Encryption is mathematical warfare.
 Mathematics is the universal language.
 Encryption is secrecy.
 Secrecy is a declaration of war.
 
State-Changed-From-To: open->closed 
State-Changed-By: cperciva 
State-Changed-When: Thu Jan 22 17:12:23 PST 2004 
State-Changed-Why:  
Closed, per submitter's statement. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=52392 
>Unformatted:
