SASL AUTH only check 8 first characters of the password

To: debian-security@lists.debian.org
Subject: SASL AUTH only check 8 first characters of the password
From: "Josep M." <websurfer@gamu.navegants.org>
Date: Fri, 16 May 2008 14:55:22 +0200
Message-id: <[🔎] 1210942522.15003.24.camel@debianet.gamuzino>

Hello.

After do more checks, SASL only check the 8 first characters of the
password, how can I do that will check all characters?

I have etch/stable installed.

I try the following:

testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u test -p
passwordgood           (pass OK) This is OK
testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u test -p
passwordgoodXXXXX      (pass OK) This should FAIL

The password is "passwordgood" but "passwordgoodXXXXX" is accepted
too!!!!!

But....for example "passwoCCrdgood" is NOT accepted


debianet:/home/krasher# cat /etc/default/saslauthd
START=yes
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

debianet:/home/krasher# cat /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: LOGIN PLAIN
log_level: 5


debianet:/home/krasher/testing-smtp/new/commands/cat /etc/pam.d/smtp
@include common-auth
@include common-session
@include common-account
@include common-password


What more can I look? I don't have saslauthd.conf file in the computer

Thanks in advance
Josep

Reply to:

Follow-Ups:
- Re: SASL AUTH only check 8 first characters of the password
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Fault in openssl-blacklist - version 0.1 -- false negatives.
Next by Date: Re: SASL AUTH only check 8 first characters of the password
Previous by thread: Minor improvement to openssl-blacklist
Next by thread: Re: SASL AUTH only check 8 first characters of the password
Index(es):
- Date
- Thread