FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 08-11-2010, 03:38 PM
Matt Keating
 
Default sshd bug?

Hi,

I've found a bug/problem with my centos 5.5 server. Any users who have
a password of 9 characters or more, only the first 9 characters are
used by the OS...
eg. i set my password to "123456789" and i try logon via ssh with
password "123456789ofgjdfuh" - it lets me in.
and if i set my password to "qwertasdfGHJB" and i enter
"qwertasdfSDWQWSDS" - it lets me in...

The 'passwd' command only recognises the first 9 characters too...

Has anyone seen this before, or know how to fix it? I feel its a major
security risk and would like it fixed ASAP.

Thanks,
Matt
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-11-2010, 03:45 PM
Ray Van Dolson
 
Default sshd bug?

On Wed, Aug 11, 2010 at 04:38:22PM +0100, Matt Keating wrote:
> Hi,
>
> I've found a bug/problem with my centos 5.5 server. Any users who have
> a password of 9 characters or more, only the first 9 characters are
> used by the OS...
> eg. i set my password to "123456789" and i try logon via ssh with
> password "123456789ofgjdfuh" - it lets me in.
> and if i set my password to "qwertasdfGHJB" and i enter
> "qwertasdfSDWQWSDS" - it lets me in...
>
> The 'passwd' command only recognises the first 9 characters too...
>
> Has anyone seen this before, or know how to fix it? I feel its a major
> security risk and would like it fixed ASAP.

Sounds like you're using DES password hashes instead of the newer MD5
style.

If you take a peek at some of the password entries in your /etc/shadow
do they have a $1$ at the beginning? If not, you're probably using DES
which is limited to 8 characters.

There are a few other places where password length, strength, etc can
be configured, however I don't recall them off the top of my head.

This is almost certainly not sshd's fault.

Ray
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-11-2010, 03:57 PM
Matt Keating
 
Default sshd bug?

On Wed, Aug 11, 2010 at 4:45 PM, Ray Van Dolson <rayvd@bludgeon.org> wrote:
> On Wed, Aug 11, 2010 at 04:38:22PM +0100, Matt Keating wrote:
>> Hi,
>>
>> I've found a bug/problem with my centos 5.5 server. Any users who have
>> a password of 9 characters or more, only the first 9 characters are
>> used by the OS...
>> eg. i set my password to "123456789" and i try logon via ssh with
>> password "123456789ofgjdfuh" - it lets me in.
>> *and if i set my password to "qwertasdfGHJB" and i enter
>> "qwertasdfSDWQWSDS" - it lets me in...
>>
>> The 'passwd' command only recognises the first 9 characters too...
>>
>> Has anyone seen this before, or know how to fix it? I feel its a major
>> security risk and would like it fixed ASAP.
>
> Sounds like you're using DES password hashes instead of the newer MD5
> style.
>
> If you take a peek at some of the password entries in your /etc/shadow
> do they have a $1$ at the beginning? *If not, you're probably using DES
> which is limited to 8 characters.

Sounds like you're on the money. I didn't install this server, so I
didn't choose the security stuff.
Passwords don't start with $....

> There are a few other places where password length, strength, etc can
> be configured, however I don't recall them off the top of my head.
>
> This is almost certainly not sshd's fault.
>
> Ray

Will update shortly....
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-11-2010, 04:17 PM
Matt Keating
 
Default sshd bug?

On Wed, Aug 11, 2010 at 4:57 PM, Matt Keating <keatster@gmail.com> wrote:
> On Wed, Aug 11, 2010 at 4:45 PM, Ray Van Dolson <rayvd@bludgeon.org> wrote:
>> On Wed, Aug 11, 2010 at 04:38:22PM +0100, Matt Keating wrote:
>>> Hi,
>>>
>>> I've found a bug/problem with my centos 5.5 server. Any users who have
>>> a password of 9 characters or more, only the first 9 characters are
>>> used by the OS...
>>> eg. i set my password to "123456789" and i try logon via ssh with
>>> password "123456789ofgjdfuh" - it lets me in.
>>> *and if i set my password to "qwertasdfGHJB" and i enter
>>> "qwertasdfSDWQWSDS" - it lets me in...
>>>
>>> The 'passwd' command only recognises the first 9 characters too...
>>>
>>> Has anyone seen this before, or know how to fix it? I feel its a major
>>> security risk and would like it fixed ASAP.
>>
>> Sounds like you're using DES password hashes instead of the newer MD5
>> style.
>>
>> If you take a peek at some of the password entries in your /etc/shadow
>> do they have a $1$ at the beginning? *If not, you're probably using DES
>> which is limited to 8 characters.
>
> Sounds like you're on the money. I didn't install this server, so I
> didn't choose the security stuff.
> Passwords don't start with $....
>
>> There are a few other places where password length, strength, etc can
>> be configured, however I don't recall them off the top of my head.
>>
>> This is almost certainly not sshd's fault.
>>
>> Ray
>
> Will update shortly....
>

$ sudo authconfig --usemd5 --updateall

Done!

Thanks Ray!
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-11-2010, 04:48 PM
Todd Denniston
 
Default sshd bug?

Matt Keating wrote, On 08/11/2010 12:17 PM:
> On Wed, Aug 11, 2010 at 4:57 PM, Matt Keating <keatster@gmail.com> wrote:
>> On Wed, Aug 11, 2010 at 4:45 PM, Ray Van Dolson <rayvd@bludgeon.org> wrote:
>>> On Wed, Aug 11, 2010 at 04:38:22PM +0100, Matt Keating wrote:
>>>> Hi,
>>>>
<SNIP>
>>>>
>>>> The 'passwd' command only recognises the first 9 characters too...
>>>>
>>>> Has anyone seen this before, or know how to fix it? I feel its a major
>>>> security risk and would like it fixed ASAP.
>>> Sounds like you're using DES password hashes instead of the newer MD5
>>> style.
>>>
>>> If you take a peek at some of the password entries in your /etc/shadow
>>> do they have a $1$ at the beginning? If not, you're probably using DES
>>> which is limited to 8 characters.
>> Sounds like you're on the money. I didn't install this server, so I
>> didn't choose the security stuff.
>> Passwords don't start with $....
>>
<SNIP>
>
> $ sudo authconfig --usemd5 --updateall
>
> Done!
>
> Thanks Ray!

One subject for concern (even if it is too late, for you now), is if that box is serving NIS/LDAP to
an older sunos/solaris/[other old Unix] system (how IT would be up to to date security wise is
another question), then you may have a problem if the sun has not been updated to handle MD5
pass-phrase hashes.

Now you know why the old sun guy in the corner is confused about why he can't login.
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 04:50 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org