On Wed, Aug 11, 2010 at 04:38:22PM +0100, Matt Keating wrote: > Hi, > > I've found a bug/problem with my centos 5.5 server. Any users who have > a password of 9 characters or more, only the first 9 characters are > used by the OS... > eg. i set my password to "123456789" and i try logon via ssh with > password "123456789ofgjdfuh" - it lets me in. > and if i set my password to "qwertasdfGHJB" and i enter > "qwertasdfSDWQWSDS" - it lets me in... > > The 'passwd' command only recognises the first 9 characters too... > > Has anyone seen this before, or know how to fix it? I feel its a major > security risk and would like it fixed ASAP. Sounds like you're using DES password hashes instead of the newer MD5 style. If you take a peek at some of the password entries in your /etc/shadow do they have a $1$ at the beginning? If not, you're probably using DES which is limited to 8 characters. There are a few other places where password length, strength, etc can be configured, however I don't recall them off the top of my head. This is almost certainly not sshd's fault. :) Ray