Possible security issue with blowfish shadow passwords

Kevin Day thekevinday at gmail.com
Wed Feb 28 19:52:57 PST 2007

On 2/28/07, Kevin Day <thekevinday at gmail.com> wrote:
> This may only be specific to my system so here are the notable things:
> - Linux-PAM (set passwords to blowfish as pam seems to handle them)
> - shadow (without blowfish patch (does not work well with Linux-PAM))
> - uClibc
> Now, the problem:
> 1) passwords that do not match the password fail as expected, but only
> when the part that is incorrect based off the actual password size
> (length)
> 2) the password itself works
> 3) Anything after the actual password size will pass, irregardless
> example:
> password = abcd
> 1) a = fail
> 2) acdd = fail
> 3) acdde = fail
> 4) abcd = pass
> 5) abcde = pass
> 6) abcd09824t6jkdjf93t293tiwegfskjeg = pass
> !!
> Now, this may be directly from Linux-PAM itself, I do not know if the
> shadow passwords patch without Linux-PAM has this problem.
> Can anybody reproduce this on their system (including the non-Linux
> Pam shadow blowfish systems)?
The previous password was an example of what I was doing with my
broken password.  I should have thought to properly test different
passwords as well.

I was trying to avoid using any portion of my password but it looks
like part of it breaks blowfish somehow.

Unfortunately, the password I am using (in which I do not want to
reveal if at all possible) is the only password that will seem to
break blowfish as far as I have tested.

Any thoughts on this obscurity?

Maybe a buffer overrun is occuring or another kind of memory leak?

Kevin Day

Kevin Day

More information about the hlfs-dev mailing list