Possible security issue with blowfish shadow passwords

Kevin Day thekevinday at gmail.com
Wed Feb 28 15:12:22 PST 2007


This may only be specific to my system so here are the notable things:
- Linux-PAM (set passwords to blowfish as pam seems to handle them)
- shadow (without blowfish patch (does not work well with Linux-PAM))
- uClibc

Now, the problem:
1) passwords that do not match the password fail as expected, but only
when the part that is incorrect based off the actual password size
(length)
2) the password itself works
3) Anything after the actual password size will pass, irregardless

example:

password = abcd
1) a = fail
2) acdd = fail
3) acdde = fail
4) abcd = pass
5) abcde = pass
6) abcd09824t6jkdjf93t293tiwegfskjeg = pass
!!

Now, this may be directly from Linux-PAM itself, I do not know if the
shadow passwords patch without Linux-PAM has this problem.

Can anybody reproduce this on their system (including the non-Linux
Pam shadow blowfish systems)?



More information about the hlfs-dev mailing list