Comment 8 for bug 600749
Revision history for this message
| Steve Langasek (vorlon) wrote Re: [Bug 600749] Re: cannot change password with a similar one | #8 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
On Wed, Mar 02, 2011 at 09:23:59PM -0000, Phillip Susi wrote:
> This bug is in the pam package and introduced by the quilt patch
> "007_modules_
> behavior. The code has this comment:
> /* The traditional crypt() truncates passwords to 8 chars. It is
> possible to circumvent the above checks by choosing an easy
> 8-char password and adding some random characters to it...
> Example: "password$%^&*123". So check it again, this time
> truncated to the maximum length. Idea from npasswd. --marekm */
> This no longer seems to apply so I think this chunk of code should be
> removed.
I think you're misreading the code. Traditional crypt() is not what is
*used* by default, but *if* traditional crypt is in use, there are
additional checks that need to be done here. Note that this function is
designed to return with no error at this point when crypt is *not* in use:
if (!UNIX_
So while there does seem to be a bug regarding password truncations, I don't
think it's here.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://
<email address hidden> <email address hidden>