[tac_plus] Issue: Incomplete passwords being accepted

Matt Almgren malmgren at skyfire.com
Sat Feb 28 16:29:42 UTC 2015


I never noticed this before, but I see the same 8-character problem with version F4.0.4.27a  and CentOS 6.4.

 -- Matt


________________________________________
From: tac_plus [tac_plus-bounces at shrubbery.net] On Behalf Of Heasley [heas at shrubbery.net]
Sent: Saturday, February 28, 2015 1:11 AM
To: Alan McKinnon
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Issue: Incomplete passwords being accepted

Am 28.02.2015 um 06:18 schrieb Alan McKinnon <alan.mckinnon at gmail.com>:
>
> On Wed, 25 Feb 2015 16:11:54 -0800
> Justin Labo <justin.labo at dena.com> wrote:
>
>> Hello,
>>
>> I'm having an issue with tac_plus and was hoping you could shed some
>> light on it.
>>
>> tac_plus is accepting incomplete passwords as valid. For example, if
>> my pasword was 'password' and I enter 'passwor', I can log in. Have
>> you ever seen this before?

Besides what Alan mentions, no. Ill test it though and report if I find a problem.

>>
>> We are running tac_plus version F4.0.4.17.

That is not the most recent version, btw.

>> I was planning on
>> upgrading to the latest release and validating the existing tac_plus
>> configs, but wanted to check in with you guys beforehand.
>
>
> What password hash types are you using?
>
> You get this behaviour with classic Unix crypt hashes (3DES). crypt
> will accept up to 11 characters as an entered password but only use the
> first 9. Entering more than 11 is an error.
>

The first 8 and ignoring trailing bytes is more typical.

> Alan
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/tac_plus

This message is being sent by Skyfire Labs, Inc.  It is intended exclusively for the individuals and entities to which it is addressed.  This communication, including any attachments, may contain information that is proprietary, privileged, confidential, or otherwise subject to restrictions on disclosure pursuant to applicable law.  If you are not the named addressee, you are not authorized to read, print, retain copy or disseminate this message or any part of it.  If you have received this message in error, please notify the sender immediately by email and delete all copies of this message.  This message is protected by applicable legal privileges and is confidential.


More information about the tac_plus mailing list