On 12 March 2012 12:18, Robert Tilden <[log in to unmask]> wrote:
> One of our systems running ‘Scientific Linux Fermi LTS release 4.9’ is
> exhibiting some odd password behavior.
>
>
>
> I can log in using a legitimate password for an account, but I can also log
> in when I add random characters at the –end- of the legitimate password.
> Shortened legitimate passwords don’t work, nor do nonlegitimate passwords.
> It’s like the password check stops when it sees a match but doesn’t check
> beyond that point.
>
>
>
> uname –a gives ‘Linux <redacted>.phys.northwestern.edu 2.6.9-101.ELsmp #1
> SMP Wed Jul 20 12:44:12 CDT 2011 x86_64 x86_64 x86_64 GNU/Linux’
>

Depends on the password hash. If the system is set up to use the old
DES hash passwords then it will only look at the first 8 characters.
Any characters after that would be truncated and ignored. To check to
see which hash is being used for the account one can do a 'getent
shadow' as root on the system.

[ssmoogen@ponyo ~]$ openssl passwd -1 -salt CrapSalt Password
$1$CrapSalt$QwW4h1GkbcFPhKj/DmtOk.
[ssmoogen@ponyo ~]$ openssl passwd -salt CS Password
CS70elGx.oAms

The first example is a MD5crypt hash which has an "unlimited" length
but can be around 72 characters depending on the system. The second
example is the older DES style hash which is limited to 8 characters.


>
> Any thoughts?
>
>
>
>



-- 
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me."  —James Stewart as Elwood P. Dowd