[tac_plus] Issue: Incomplete passwords being accepted

Alan McKinnon alan.mckinnon at gmail.com
Sat Feb 28 05:18:43 UTC 2015


On Wed, 25 Feb 2015 16:11:54 -0800
Justin Labo <justin.labo at dena.com> wrote:

> Hello,
> 
> I'm having an issue with tac_plus and was hoping you could shed some
> light on it.
> 
> tac_plus is accepting incomplete passwords as valid. For example, if
> my pasword was 'password' and I enter 'passwor', I can log in. Have
> you ever seen this before?
> 
> We are running tac_plus version F4.0.4.17. I was planning on
> upgrading to the latest release and validating the existing tac_plus
> configs, but wanted to check in with you guys beforehand.


What password hash types are you using?

You get this behaviour with classic Unix crypt hashes (3DES). crypt
will accept up to 11 characters as an entered password but only use the
first 9. Entering more than 11 is an error.

Alan


More information about the tac_plus mailing list