Loading...

hlfs-dev@linuxfromscratch.org

[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: Possible security issue with blowfish shadow passwords Kevin Day Thu Mar 01 00:02:23 2007

On 2/28/07, Kevin Day <[EMAIL PROTECTED]> wrote:
> This may only be specific to my system so here are the notable things:
> - Linux-PAM (set passwords to blowfish as pam seems to handle them)
> - shadow (without blowfish patch (does not work well with Linux-PAM))
> - uClibc
>
> Now, the problem:
> 1) passwords that do not match the password fail as expected, but only
> when the part that is incorrect based off the actual password size
> (length)
> 2) the password itself works
> 3) Anything after the actual password size will pass, irregardless
>
> example:
>
> password = abcd
> 1) a = fail
> 2) acdd = fail
> 3) acdde = fail
> 4) abcd = pass
> 5) abcde = pass
> 6) abcd09824t6jkdjf93t293tiwegfskjeg = pass
> !!
>
> Now, this may be directly from Linux-PAM itself, I do not know if the
> shadow passwords patch without Linux-PAM has this problem.
>
> Can anybody reproduce this on their system (including the non-Linux
> Pam shadow blowfish systems)?
>
The previous password was an example of what I was doing with my
broken password.  I should have thought to properly test different
passwords as well.

I was trying to avoid using any portion of my password but it looks
like part of it breaks blowfish somehow.

Unfortunately, the password I am using (in which I do not want to
reveal if at all possible) is the only password that will seem to
break blowfish as far as I have tested.

Any thoughts on this obscurity?

Maybe a buffer overrun is occuring or another kind of memory leak?

-- 
Kevin Day


-- 
Kevin Day
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page