users-admin sets up maximum 8 character password
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
system-tools-backends (Ubuntu) |
Fix Released
|
High
|
Kees Cook |
Bug Description
I use "Intrepid" beta with latest updates and I've found out accidentally, that if in GNOME login screen or in gnome-terminal (for su command) or at tty[1-6] screens enough to input only 8 chars of correct password - in that case authorization will be successful. For example, if I have password for my account, which contains 25 symbols, then if I input only 8 first symbols of my password at GNOME login screen, login will be successful. The same occurs in gnome-terminal for su command - to get super user's privileges, enough input only 8 chars.
Besides, I check it at "Hardy" - here everything ok - it's necessary to input full password correctly for pass authorization.
I don't sure, but maybe only I have this problem. So, it's be very intresting, if someone else check this and reports about it.
Some information:
$ lsb_release -rd
Description: Ubuntu 8.10$ apt-cache policy gnome-terminal
gnome-terminal:
Installed: 2.24.0-0ubuntu2
Candidate: 2.24.0-0ubuntu2
Version table:
*** 2.24.0-0ubuntu2 0
500 http://
100 /var/lib/
Release: 8.10
$ apt-cache policy gnome-terminal
gnome-terminal:
Installed: 2.24.0-0ubuntu2
Candidate: 2.24.0-0ubuntu2
Version table:
*** 2.24.0-0ubuntu2 0
500 http://
100 /var/lib/
To try reproduce this bug, follow next steps:
1. run users-admin utility;
2. press "Unlock" button and type your password;
3. press "Add User" button;
4. type in username's field "example" and in password's field "verylongpassword"
5. select in Profile's field "Administrator"
6. in advanced settings select in Main group's field "users"
7. press OK button and log out
8. at gdm screen type "example" as login and "verylong" as password
9. after that authorization should be successful
BTW, adding user via adduser utility (from terminal) requests full input of password.
Some notice - looks like users-admin utility adding hash for only first 8 chars of password in /etc/shadow.
So, to fix this issue I've replaced hash for my user account in /etc/shadow - I've copied this hash from hardy's /etc/shadow - there is everything ok.
Also, I've found out, that file /etc/pam. d/common- password can contains "max=N" string, where N - number of significant chars of password; but in intrepid, as in hardy, there is no such string.
Please, someone, just try to reproduce this and add some feedback here; I just would like to know does anybody else have this issue.