Re: SSH permits root-Logins with wrong password

[Andrew Perrin <clists@perrin.socsci.unc.edu>]

On Wed, 16 Jun 2004, Frank Niedermann wrote:

>
> On Wed, 16 Jun 2004 10:35:33 Patrick Lane <patrick.m.lane@csun.edu> wrote:
>
> >> > I have a Debian testing server on my network with OpenSSH running.
> >> > If I try to log in as root but with wrong password I get access...
>
> > tried to duplicate this on a sid box and a sarge box (that hasn't been
> > upgraded for awhile). I couldn't duplicate your results.
>
> I think my results are so strange because the wrong password contains
> parts of the right password. As I said, if I try to log in with 'x' as
> password I get the same results as you described.

Quick questions:

(1) how long is the password?; and
(2) is the variation you're trying at the end?

some hash techniques limit password length and truncate the string after
that point, so if you're changing or appending a character after that
point you would get the behavior you describe.

----------------------------------------------------------------------
Andrew J Perrin - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
clists@perrin.socsci.unc.edu * andrew_perrin (at) unc.edu