Re: [suse-axp] 8-character limit for root password in SuSE-6.4

From: William H. Magill (magill@isc.upenn.edu)
Date: Mon Jul 03 2000 - 08:59:36 PDT

Next message: Sven Denninghoff: "SuSE 6.4 on Alphastation"

Previous message: G. Hugh Song: "8-character limit for root password in SuSE-6.4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 3 Jul 2000 11:59:36 -0400 (EDT)
From: "William H. Magill" <magill@isc.upenn.edu>
Message-Id: <200007031559.e63Fxa015641@falstaff.isc-net.upenn.edu>
Subject: Re: [suse-axp] 8-character limit for root password in SuSE-6.4

> I really don't understand why SuSE imposed such a strange limit
> for the number of characters of the root password.
> How can I eliminate such a limit?
>

In almost all versions of Unix (except Tru64 in C2 mode, that I know of)
you are limited to an 8 character password.

The historical security problem in BSD Unix (and Ultrix) was that you could
specify a password of essentially unlimited length.... however only the
first 8 characters were ever used. The code simply tuncated the entry and
used it, without any kind of indicatation of what was happening.

That is to say any password greater than 8 characters was truncated to
the first 8 with no warning messages.

Consequently the password
        9a8b7c6dxxx was exactly the same as
        9a8b7c6dyyy
        12345678 since only the first 8 characteres were
examined.

It was a rather nasty security hole. And as far as I know this problem
still exists in most Unixes --- hence the limitation of password length
to 8 characters. (It was easier to fix the allowed length on creation than
to allow the longer lengths in processing.)

It is not unlike the 8 character limitation on userids. It is so deeply
inbeded in the code that it will take years (if ever) before a userid
longer than 8 characters is permitted.

I've been complaining about both of these issues for it seems like forever.
Lets see now OSF/1 came out about 10 years ago... yeah forever.

At least with C2 security in Tru64 Unix, (and I assume other vendors now
as well) you can set both the minimum and maximum password lengths, which
is a requirement for C2 certification.

-- 
                        www.tru64unix.compaq.com
                              www.tru64.org
                             comp.unix.tru64
                        
T.T.F.N.
William H. Magill                          Senior Systems Administrator
Information Services and Computing (ISC)   University of Pennsylvania
Internet: magill@isc.upenn.edu             magill@acm.org
http://www.isc-net.upenn.edu/~magill/

Next message: Sven Denninghoff: "SuSE 6.4 on Alphastation"
Previous message: G. Hugh Song: "8-character limit for root password in SuSE-6.4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.0 : Mon Jun 04 2001 - 04:18:24 PDT