Possible security issue with blowfish shadow passwords
thekevinday at gmail.com
Wed Feb 28 19:52:57 PST 2007
On 2/28/07, Kevin Day <thekevinday at gmail.com> wrote:
> This may only be specific to my system so here are the notable things:
> - Linux-PAM (set passwords to blowfish as pam seems to handle them)
> - shadow (without blowfish patch (does not work well with Linux-PAM))
> - uClibc
> Now, the problem:
> 1) passwords that do not match the password fail as expected, but only
> when the part that is incorrect based off the actual password size
> 2) the password itself works
> 3) Anything after the actual password size will pass, irregardless
> password = abcd
> 1) a = fail
> 2) acdd = fail
> 3) acdde = fail
> 4) abcd = pass
> 5) abcde = pass
> 6) abcd09824t6jkdjf93t293tiwegfskjeg = pass
> Now, this may be directly from Linux-PAM itself, I do not know if the
> shadow passwords patch without Linux-PAM has this problem.
> Can anybody reproduce this on their system (including the non-Linux
> Pam shadow blowfish systems)?
The previous password was an example of what I was doing with my
broken password. I should have thought to properly test different
passwords as well.
I was trying to avoid using any portion of my password but it looks
like part of it breaks blowfish somehow.
Unfortunately, the password I am using (in which I do not want to
reveal if at all possible) is the only password that will seem to
break blowfish as far as I have tested.
Any thoughts on this obscurity?
Maybe a buffer overrun is occuring or another kind of memory leak?
More information about the hlfs-dev