GNU bug report logs - #21318
Only the first 8 characters of passwords are significant

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Sat, 22 Aug 2015 05:21:01 UTC

Severity: serious

Done: 宋文武 <iyzsong <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: 宋文武 <iyzsong <at> gmail.com>
To: Mark H Weaver <mhw <at> netris.org>, 21318 <at> debbugs.gnu.org
Subject: bug#21318: Only the first 8 characters of passwords are significant
Date: Sat, 22 Aug 2015 22:32:03 +0800

Mark H Weaver <mhw <at> netris.org> writes:

> yenda on #guix reported that when typing user passwords, only the first
> 8 characters need to be typed correctly to successfully log in.
>
> DusXMT on #guix mentioned that [GNU/]Linux From Scratch instructs users
> to change "#ENCRYPT_METHOD_DES" to "ENCRYPT_METHOD_SHA512" in
> etc/login.defs:
>
>   http://www.linuxfromscratch.org/lfs/view/stable/chapter06/shadow.html
>
> I tried modifying both /etc/login.defs and etc/login.defs in our
> 'shadow' package recipe, and then tried updating my password entry with
> 'passwd' but it still only pays attention to the first 8 characters.
>
> 'strace' reveals that 'passwd' doesn't even look for any file named
> "login.defs".
Yeah, when login using PAM (our case), login.defs is not used.
>
> I'm not sure what's going on here, but it would be good to fix it soon.
It turn out that add a 'sha512' to the argument of password pam entry do
the trick,  patch sent :-)
This bug report was last modified 9 years and 273 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.