bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pserver login fails on 9 char passwords


From: Mäkeläinen Juha
Subject: Re: pserver login fails on 9 char passwords
Date: Mon, 29 Mar 2004 15:44:35 +0300


-----Alkuperäinen viesti-----
Lähettäjä: Brian Murphy [mailto:address@hidden 
Lähetetty: 29. maaliskuuta 2004 13:46
Vastaanottaja: Mäkeläinen Juha
Kopio: address@hidden
Aihe: Re: pserver login fails on 9 char passwords


Mäkeläinen Juha wrote:

>This problem was found when using cvs-1.11.11 server on HP-UX and 
>wincvs client.
>
>If user password is 9 chars long, the crypted password from client is 
>13 characters but password got from HP-UX secure password system is 24 
>characters. The server.c module can not handle that.

...  

Have you tried using the PAM in the 1.12 versions?

/Brian

  No; we are trying to use a stable version and very straightforward solutions 
for out production group.

  I am not much aware of the possibilities of PAM, I have only glimsed 
http://www.cvshome.org/docs/manual/cvs-1.12.2/cvs_2.html . Is it something 
which can be easily installed in any server?


Mark D. Baushke wrote:
> Your patch makes me uncomfortable because it may be possible to
> choose a password that is encrypted with the same salt as the
> found_passwd and happens to encode to a substring of the real
> found_passwd without being a valid password on the system.
>
> I would rather understand what HP/UX is doing to the found_password
> such that it is so much longer than the crypted password.

  Yes, I would be nice if HP would fix this.

  This kinds of risk may propably be considered moderate in our company's LAN, 
but of course this kind of paranoia is your job. Still I think it should be 
quite difficult to guess one of those passwords. When using shorter passwords 
(<9 chars), isn't it equally easy to guess them?


 -- Juha




reply via email to

[Prev in Thread] Current Thread [Next in Thread]