GNU bug report logs - #21318
Only the first 8 characters of passwords are significant

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Sat, 22 Aug 2015 05:21:01 UTC

Severity: serious

Done: 宋文武 <iyzsong <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 21318 in the body.
You can then email your comments to 21318 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#21318; Package guix. (Sat, 22 Aug 2015 05:21:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Mark H Weaver <mhw <at> netris.org>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sat, 22 Aug 2015 05:21:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: bug-guix <at> gnu.org
Subject: Only the first 8 characters of passwords are significant
Date: Sat, 22 Aug 2015 01:20:22 -0400

yenda on #guix reported that when typing user passwords, only the first
8 characters need to be typed correctly to successfully log in.

DusXMT on #guix mentioned that [GNU/]Linux From Scratch instructs users
to change "#ENCRYPT_METHOD_DES" to "ENCRYPT_METHOD_SHA512" in
etc/login.defs:

  http://www.linuxfromscratch.org/lfs/view/stable/chapter06/shadow.html

I tried modifying both /etc/login.defs and etc/login.defs in our
'shadow' package recipe, and then tried updating my password entry with
'passwd' but it still only pays attention to the first 8 characters.

'strace' reveals that 'passwd' doesn't even look for any file named
"login.defs".

I'm not sure what's going on here, but it would be good to fix it soon.

     Mark
Severity set to 'serious' from 'normal' Request was from Mark H Weaver <mhw <at> netris.org> to control <at> debbugs.gnu.org. (Sat, 22 Aug 2015 05:24:02 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org:
bug#21318; Package guix. (Sat, 22 Aug 2015 14:32:03 GMT) Full text and rfc822 format available.

Message #10 received at 21318 <at> debbugs.gnu.org (full text, mbox):

From: 宋文武 <iyzsong <at> gmail.com>
To: Mark H Weaver <mhw <at> netris.org>, 21318 <at> debbugs.gnu.org
Subject: Re: bug#21318: Only the first 8 characters of passwords are
 significant
Date: Sat, 22 Aug 2015 22:32:03 +0800

Mark H Weaver <mhw <at> netris.org> writes:

> yenda on #guix reported that when typing user passwords, only the first
> 8 characters need to be typed correctly to successfully log in.
>
> DusXMT on #guix mentioned that [GNU/]Linux From Scratch instructs users
> to change "#ENCRYPT_METHOD_DES" to "ENCRYPT_METHOD_SHA512" in
> etc/login.defs:
>
>   http://www.linuxfromscratch.org/lfs/view/stable/chapter06/shadow.html
>
> I tried modifying both /etc/login.defs and etc/login.defs in our
> 'shadow' package recipe, and then tried updating my password entry with
> 'passwd' but it still only pays attention to the first 8 characters.
>
> 'strace' reveals that 'passwd' doesn't even look for any file named
> "login.defs".
Yeah, when login using PAM (our case), login.defs is not used.
>
> I'm not sure what's going on here, but it would be good to fix it soon.
It turn out that add a 'sha512' to the argument of password pam entry do
the trick,  patch sent :-)
Information forwarded to bug-guix <at> gnu.org:
bug#21318; Package guix. (Tue, 25 Aug 2015 12:39:02 GMT) Full text and rfc822 format available.

Message #13 received at 21318 <at> debbugs.gnu.org (full text, mbox):

From: 宋文武 <iyzsong <at> gmail.com>
To: 21318 <at> debbugs.gnu.org
Subject: bug#21318: Fixed
Date: Tue, 25 Aug 2015 20:39:50 +0800

Fixed in commit 9297065a2b2151636194b2c91e957a3ec0b33532.
Reply sent to 宋文武 <iyzsong <at> gmail.com>:
You have taken responsibility. (Tue, 25 Aug 2015 12:43:02 GMT) Full text and rfc822 format available.
Notification sent to Mark H Weaver <mhw <at> netris.org>:
bug acknowledged by developer. (Tue, 25 Aug 2015 12:43:02 GMT) Full text and rfc822 format available.

Message #18 received at 21318-done <at> debbugs.gnu.org (full text, mbox):

From: 宋文武 <iyzsong <at> gmail.com>
To: 21318-done <at> debbugs.gnu.org
Subject: bug#21318: Fixed
Date: Tue, 25 Aug 2015 20:43:50 +0800

Fixed in commit 9297065a2b2151636194b2c91e957a3ec0b33532.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 23 Sep 2015 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 8 years and 218 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.