[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pserver login fails on 9 char passwords
|
From: |
Mäkeläinen Juha |
|
Subject: |
Re: pserver login fails on 9 char passwords |
|
Date: |
Mon, 29 Mar 2004 15:44:35 +0300 |
-----Alkuperäinen viesti-----
Lähettäjä: Brian Murphy [mailto:brian@murphy.dk]
Lähetetty: 29. maaliskuuta 2004 13:46
Vastaanottaja: Mäkeläinen Juha
Kopio: bug-cvs@gnu.org
Aihe: Re: pserver login fails on 9 char passwords
Mäkeläinen Juha wrote:
>This problem was found when using cvs-1.11.11 server on HP-UX and
>wincvs client.
>
>If user password is 9 chars long, the crypted password from client is
>13 characters but password got from HP-UX secure password system is 24
>characters. The server.c module can not handle that.
...
Have you tried using the PAM in the 1.12 versions?
/Brian
No; we are trying to use a stable version and very straightforward solutions
for out production group.
I am not much aware of the possibilities of PAM, I have only glimsed
http://www.cvshome.org/docs/manual/cvs-1.12.2/cvs_2.html . Is it something
which can be easily installed in any server?
Mark D. Baushke wrote:
> Your patch makes me uncomfortable because it may be possible to
> choose a password that is encrypted with the same salt as the
> found_passwd and happens to encode to a substring of the real
> found_passwd without being a valid password on the system.
>
> I would rather understand what HP/UX is doing to the found_password
> such that it is so much longer than the crypted password.
Yes, I would be nice if HP would fix this.
This kinds of risk may propably be considered moderate in our company's LAN,
but of course this kind of paranoia is your job. Still I think it should be
quite difficult to guess one of those passwords. When using shorter passwords
(<9 chars), isn't it equally easy to guess them?
-- Juha