From nobody@FreeBSD.ORG  Tue Jun 27 12:40:14 2000
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id AA41137C2D4; Tue, 27 Jun 2000 12:40:13 -0700 (PDT)
Message-Id: <20000627194013.AA41137C2D4@hub.freebsd.org>
Date: Tue, 27 Jun 2000 12:40:13 -0700 (PDT)
From: john@jfive.com
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@FreeBSD.org
Subject: DES in 3.5-RELEASE allows trailing characters
X-Send-Pr-Version: www-1.0

>Number:         19548
>Category:       misc
>Synopsis:       DES in 3.5-RELEASE allows trailing characters
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 27 12:50:01 PDT 2000
>Closed-Date:    Sat Dec 2 07:52:50 PST 2000
>Last-Modified:  Sat Dec 02 07:53:02 PST 2000
>Originator:     John Heyer
>Release:        3.5-RELEASE
>Organization:
J Five
>Environment:
FreeBSD proxy3.10MB.supranet.net 3.5-RELEASE FreeBSD 3.5-RELEASE #0: Tue Jun 27 12:29:24 CDT 2000     root@bench1.supranet.int:/usr/src/sys/compile/PROXY-IDE  i386        
>Description:
I can login using any password, provided my real password is the first substring.  
For example if my password was "plant", a password of "plant72495" will authenticate.  
>How-To-Repeat:
install DES and set a password.  Then login, inserting random characters after your correct password
>Fix:
Uninstalling DES fixes it.  

>Release-Note:
>Audit-Trail:

From: David Nugent <davidn@austel.net>
To: john@jfive.com
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: misc/19548: DES in 3.5-RELEASE allows trailing characters
Date: Wed, 28 Jun 2000 07:10:33 +1000

 john@jfive.com wrote:
 
 > I can login using any password, provided my real password is the first substring.
 > For example if my password was "plant", a password of "plant72495" will authenticate.
 
 I am unable to reproduce this behaviour on 3.4-STABLE, 3.5-STABLE or
 4.0-STABLE. Are you
 sure you tried the exact example you've quoted?
 
 DES passwords do have a length limitation of 8 characters, which is a
 known weakness in
 DES per se on all compatible UNIX platforms. If the user's password is 8
 characters or
 longer, then certainly anything appended to the password is silently
 ignored when
 computing the hash. Junk appended after shorter passwords will certainly
 be used in
 deriving the hash.
 
 This limitation of DES is documented, and is why md5 hashes are generally
 preferred
 (the limitation there is 128 characters I believe).
 
 -- 
 || David Nugent                      || TS Manager, ISP Limited ||
 \\ davidn@austel.net | davidn@blaze.net.au | davidn@freebsd.org //
 .\\ Ph: +61396422322   Fax: +61396422063   Cell: +61404867638  //.
 
State-Changed-From-To: open->feedback 
State-Changed-By: dirk 
State-Changed-When: Wed Nov 8 05:15:13 PST 2000 
State-Changed-Why:  
John, can you please check if it's the mentioned "only-eight-chars-are- 
significant" problem? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19548 
State-Changed-From-To: feedback->closed 
State-Changed-By: dirk 
State-Changed-When: Sat Dec 2 07:52:50 PST 2000 
State-Changed-Why:  
Feedback timeout... 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19548 
>Unformatted:
