GNU bug report logs - #21318
Only the first 8 characters of passwords are significant

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Sat, 22 Aug 2015 05:21:01 UTC

Severity: serious

Done: 宋文武 <iyzsong <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Mark H Weaver <mhw <at> netris.org>
Subject: bug#21318: closed (bug#21318: Fixed)
Date: Tue, 25 Aug 2015 12:43:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#21318: Only the first 8 characters of passwords are significant

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 21318 <at> debbugs.gnu.org.

-- 
21318: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=21318
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: 宋文武 <iyzsong <at> gmail.com>
To: 21318-done <at> debbugs.gnu.org
Subject: bug#21318: Fixed
Date: Tue, 25 Aug 2015 20:43:50 +0800

Fixed in commit 9297065a2b2151636194b2c91e957a3ec0b33532.


[Message part 3 (message/rfc822, inline)]
From: Mark H Weaver <mhw <at> netris.org>
To: bug-guix <at> gnu.org
Subject: Only the first 8 characters of passwords are significant
Date: Sat, 22 Aug 2015 01:20:22 -0400

yenda on #guix reported that when typing user passwords, only the first
8 characters need to be typed correctly to successfully log in.

DusXMT on #guix mentioned that [GNU/]Linux From Scratch instructs users
to change "#ENCRYPT_METHOD_DES" to "ENCRYPT_METHOD_SHA512" in
etc/login.defs:

  http://www.linuxfromscratch.org/lfs/view/stable/chapter06/shadow.html

I tried modifying both /etc/login.defs and etc/login.defs in our
'shadow' package recipe, and then tried updating my password entry with
'passwd' but it still only pays attention to the first 8 characters.

'strace' reveals that 'passwd' doesn't even look for any file named
"login.defs".

I'm not sure what's going on here, but it would be good to fix it soon.

     Mark
This bug report was last modified 9 years and 274 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.