[wplug-bsd] Password oddity

Bill Moran wmoran at potentialtech.com
Wed Dec 3 13:03:58 EST 2003 

Benjamin Slavin wrote:
> Sorry if I was ambiguous as to what is happening.
> 
> It's not really a problem, but it's a "very strange thing." I can use my 
> system without any problems, and can login as any user and su to root 
> (on the appropriate accounts).
> 
> Say my password is "12345678". When I'm at a login prompt on the console 
> or via ssh, I can type in 12345678[insert anything here] and still login 
> (eg "12345678935406876846" will be accepted). This can be reproduced for 
> any non-root user (using the appropriate password). Root for some reason 
> behaves properly (that is, if root's password is 87654321, and 876543210 
> is entered, login will not happen).

This is going to be an incomplete answer, since I don't know the whole
answer.  Hopefully it will provide enough information that you can find
the rest of what you need to know.

FreeBSD is capable of supporting multiple methods of encrypting passwords
in the /etc/master.passwd file.  It can actually support multiple methods
in use simultaneously.  The reason for this is to support legacy systems
while also supporting newer (better) encryption.

If you look in the /etc/master.passwd file, the first few characters of
the encrypted password indicated what sort of encryption is being used.
Here's where I don't know details: I can't tell you what character
combinations mean what encryption.

However, I seem to remember some discussions of this problem when upgrading
older machines and changing the default encryption scheme.  I also seem to
remember some discussions of appending extra characters to passwords allowing
you to log on still.

Here's what I suspect (but I could be off-base here):
You created the root account and it was encrypted with a good encryption
scheme.  Somewhere along the way, your default encryption scheme was
changed and subsequent users were created with inferior encryption.
These account are only able to check that the first part of the password
works, but (somehow) the encryption ignors extra characters.

If I'm right, you should be able to fix your problem by changing your
default encryption to the better technique, and recreating the passwords.

Take this with a grain of salt, however, since I'm pulling from memory,
and that's seldom very reliable.  I also don't remember how you change
your default encryption scheme (sorry).

Do some google searches, as I'm sure this has come up and been discussed
elsewhere.

Hope this is some help.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com

More information about the wplug-bsd mailing list