Re: The *"'($^"'( list... and Xdm login

To: rgayraud@slp.fr
Cc: debian-user@lists.debian.org
Subject: Re: The *"'($^"'( list... and Xdm login
From: Buddha Buck <bmbuck@not-a-real-site.acsu.buffalo.edu>
Date: Fri, 27 Sep 1996 22:10:11 -0400
Message-id: <[🔎] 199609280210.WAA18674@not-a-real-site.acsu.buffalo.edu>
Reply-to: bmbuck@acsu.Buffalo.EDU
In-reply-to: Your message of "Fri, 27 Sep 1996 17:36:58 -0000." <[🔎] 9609280017.AA08945@mailhost1.slp.fr>

> a simple question about xdm : 
> 
>   my root password is ... say "toto". when i try to login
>   with password "totoxxx", it works. The xdm login
>   only compares characters from the begining, to the end of
>   the password. is it normal ??? 

It shouldn't be that way for your root password as "toto", but let's 
say your root password was "wizardoz".  Then "wizardos_is_a_fraud" 
would work, because anything past 8 letters is ignored.

In fact, the scenario that you describe -couldn't- happen, unless login 
on xdm was severely broken (try using "dorothy" as a password instead 
of "toto",  if you can get in, then you know it's broken :-( ).  What 
login (and xdm, etc) do is take the passwork you type, hash the first 8 
characters with a one-way hash function, and compare that with the 
stored, previously hashed password.  The original password is lost -- 
it exists in the memory of passwd, login, xdm, and so on the bare 
minimum they need to do their job, then it is destroyed, to prevent 
snoopers.  Since all xdm has to play with is a previously hashed value, 
it -can't- tell that the password "toto" is only 4 characters long.  It 
can only tell that "totoxxx" hashes to the same value as "toto".  Given 
the way that the hash function is designed, I think (but I am not 
certain) that that is mathematically impossible (but at the least, it 
it highly improbable).

I just tried it on my system, and I was able to su to root by using the 
password "scarecro" instead of the complete "scarecrow" (and, no, that 
isn't the root password on my system, but mine is longer than 8 
characters), so the 8 character limit is still live on Debian systems.

Theoretically, we should be able to "pay no attention to the crypt() 
behind the login", but maintaining compatability with other systems 
forces us to use the same crypt() Unix has been using for decades.  
This limits us to only 8 significant characters.  How many utilities 
would have to be changed to implement the following password logic:

  If the stored hash is 13 characters long, use crypt().  
  If it is 32 characters long, use md5sum().  
  Otherwise, fail.

This would allow us to retain backwards compatability while potentially 
increasing the security of the system by allowing arbitrarily long 
passwords.

> 
> thanks,
> 
> Richard
> 

-- 
     Buddha Buck                      bmbuck@acsu.buffalo.edu
"Just as the strength of the Internet is chaos, so the strength of our
liberty depends upon the chaos and cacaphony of the unfettered speech
the First Amendment protects."  -- A.L.A. v. U.S. Dept. of Justice

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

Follow-Ups:
- Re: The *"'($^"'( list... and Xdm login
  - From: Rob Browning <osiris@cs.utexas.edu>

References:
- Re: The *"'($^"'( list... and Xdm login
  - From: Richard Gayraud@mailhost1.slp.fr

Prev by Date: smbmount (in packge ksmbfs-0.2.4-2.deb) / win-95 problem
Next by Date: Re: smbmount (in packge ksmbfs-0.2.4-2.deb) / win-95 problem
Previous by thread: Re: The *"'($^"'( list... and Xdm login
Next by thread: Re: The *"'($^"'( list... and Xdm login
Index(es):
- Date
- Thread