PDA

View Full Version : SUSE 11 does not require entire password to access



generye
16-Jan-2014, 00:48
I have a SUSE 11 box hardened to meet govt requirements. Minimum length password (14) is defined in /etc/pam.d/common_password as "minlen = 14" and /etc/login.defs with "PASS_MIN_LEN" as 14. I only have to enter the first 8 characters of my password to gain access. Please help.

ab
16-Jan-2014, 05:46
Are you using something really old like 'crypt' for your password
algorithm? It limits passwords to eight characters, and anything else is
ignored.

SLE 11 defaults to NOT-crypt (blowfish or something I think) so unless you
changed this you should not be using crypt. Easy way to test is to first
change your password to something stupid and then, replacing USERNAME with
your own username, run the following command and post the output:

Code:
--------------------
sudo grep USERNAME /etc/shadow
--------------------

This will post your password hash so we can tell you what kind it is. You
can look this up yourself too if you Google a bit. Normally you should
never post this stuff, which is why I said to first change your password
to something you do not care about.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

generye
02-Feb-2014, 03:46
I'm not using crypt. Yast has blowfish for encryption. Not sure what config files would set the encryption. I changed it to sha512. Yast also shows the minlen as 5. Every time I reset it to 14 n yast, any changes I made to the common-password file reverts it back. Yast also keeps minlen at 5. I tried to make the individual common-* files similar to RHEL5/6 configurations. Nothing seems to work. Any other ideas?

BTW, after entering the first 8 chars, you can enter nothing or anything, despite what your real password is and it will still allow access.

ab
02-Feb-2014, 05:28
You didn't post the output from that command. It could help.

How, exactly, was the "hardening" done? If we can reproduce it perhaps we
can tell you more.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...