On Wed, Aug 11, 2010 at 4:57 PM, Matt Keating <keatster at gmail.com> wrote: > On Wed, Aug 11, 2010 at 4:45 PM, Ray Van Dolson <rayvd at bludgeon.org> wrote: >> On Wed, Aug 11, 2010 at 04:38:22PM +0100, Matt Keating wrote: >>> Hi, >>> >>> I've found a bug/problem with my centos 5.5 server. Any users who have >>> a password of 9 characters or more, only the first 9 characters are >>> used by the OS... >>> eg. i set my password to "123456789" and i try logon via ssh with >>> password "123456789ofgjdfuh" - it lets me in. >>> and if i set my password to "qwertasdfGHJB" and i enter >>> "qwertasdfSDWQWSDS" - it lets me in... >>> >>> The 'passwd' command only recognises the first 9 characters too... >>> >>> Has anyone seen this before, or know how to fix it? I feel its a major >>> security risk and would like it fixed ASAP. >> >> Sounds like you're using DES password hashes instead of the newer MD5 >> style. >> >> If you take a peek at some of the password entries in your /etc/shadow >> do they have a $1$ at the beginning? If not, you're probably using DES >> which is limited to 8 characters. > > Sounds like you're on the money. I didn't install this server, so I > didn't choose the security stuff. > Passwords don't start with $.... > >> There are a few other places where password length, strength, etc can >> be configured, however I don't recall them off the top of my head. >> >> This is almost certainly not sshd's fault. :) >> >> Ray > > Will update shortly.... > $ sudo authconfig --usemd5 --updateall Done! Thanks Ray!