[CentOS] sshd bug?

Wed Aug 11 16:17:18 UTC 2010
Matt Keating <keatster at gmail.com>

On Wed, Aug 11, 2010 at 4:57 PM, Matt Keating <keatster at gmail.com> wrote:
> On Wed, Aug 11, 2010 at 4:45 PM, Ray Van Dolson <rayvd at bludgeon.org> wrote:
>> On Wed, Aug 11, 2010 at 04:38:22PM +0100, Matt Keating wrote:
>>> Hi,
>>>
>>> I've found a bug/problem with my centos 5.5 server. Any users who have
>>> a password of 9 characters or more, only the first 9 characters are
>>> used by the OS...
>>> eg. i set my password to "123456789" and i try logon via ssh with
>>> password "123456789ofgjdfuh" - it lets me in.
>>>  and if i set my password to "qwertasdfGHJB" and i enter
>>> "qwertasdfSDWQWSDS" - it lets me in...
>>>
>>> The 'passwd' command only recognises the first 9 characters too...
>>>
>>> Has anyone seen this before, or know how to fix it? I feel its a major
>>> security risk and would like it fixed ASAP.
>>
>> Sounds like you're using DES password hashes instead of the newer MD5
>> style.
>>
>> If you take a peek at some of the password entries in your /etc/shadow
>> do they have a $1$ at the beginning?  If not, you're probably using DES
>> which is limited to 8 characters.
>
> Sounds like you're on the money. I didn't install this server, so I
> didn't choose the security stuff.
> Passwords don't start with $....
>
>> There are a few other places where password length, strength, etc can
>> be configured, however I don't recall them off the top of my head.
>>
>> This is almost certainly not sshd's fault. :)
>>
>> Ray
>
> Will update shortly....
>

$ sudo authconfig --usemd5 --updateall

Done!

Thanks Ray!