[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Thu, 26 Aug 2004 09:45:42 +0400
From: Solar Designer <solar@...nwall.com>
To: popa3d-users@...ts.openwall.com
Subject: Re: popa3d problem with more than 8 character passwords.
On Wed, Aug 25, 2004 at 01:29:20PM -0300, Lucas Brasilino wrote:
> I really don't know if it's a bug but I've
> installed popa3d 0.6.4.1 with PAM support (AUTH_PAM)
> and it's authenticating two passwords if they are
> equal up to 8th character. For example:
>
> Real password: 1234567890
>
> 12345678 is authenticated.
> 12345678itsafeature? is authenticated...
> and so on.
This has nothing to do with popa3d specifically. Your system uses the
obsolete DES-based password hashes which have this limitation.
> I'm using RH7.2, PAM 0.74, GLIBC 2.2.2, OpenSSL 0.9.6g
So you need to configure your RH 7.2 to use the somewhat less obsolete
MD5-based hashes by editing /etc/pam.d/system-auth and adding the
option "md5" to the end of the "password" line. Of course, this will
only affect newly changed passwords.
<plug>
You may also want to replace your RH 7.2 which reached end-of-life.
If you migrate to Openwall GNU/*/Linux (Owl), you will also get
non-obsolete password hashes supported out-of-the-box:
http://www.openwall.com/Owl/
http://www.openwall.com/crypt/
</plug>
--
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux