Bugtraq mailing list archives
Re: SSH 1.x and 2.x Daemon
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Thu, 11 Feb 1999 17:33:24 +0100
No standard Unix 64-bit password can ever be encoded as anything but 11 characters plus 2 more for the "salt". Any field that is less than 13 characters can never match a valid password and will always result in a locked account. To be ultra careful any field longer than 13 characters should be searched for illegal characters, i.e. any non-alpha-numeric or not '.' and '/'. However in practice one can also assume that any field longer than 13 characters results in a locked account.
It should be notedm though, that some shadow password implementations encoded password attributes by adding ",attributes" to the encrypted string. Also, in SunOS 4.x "magic" shadow password, the password would look like "##user". I don't think it's really all that easy to make ssh work safely without involving the system's login program or PAM, if it has it. When exec'ing login, the daemon loses track of the fact whether authentication was actually successful; so it can't safely do port/X forwarding in such cases. Casper
Current thread:
- Re: SSH 1.x and 2.x Daemon Tibor Toronyi (Feb 08)
- Another Windows98 Bug... Scott (Feb 09)
- Re: Another Windows98 Bug... Jensen Allan AJE (Feb 12)
- mc & Segmentation fault shaman (Feb 12)
- Re: Another Windows98 Bug... Nick Lamb (Feb 12)
- Re: Another Windows98 Bug... Jensen Allan AJE (Feb 12)
- Re: SSH 1.x and 2.x Daemon Brandon S. Allbery (Feb 09)
- Re: SSH 1.x and 2.x Daemon Greg A. Woods (Feb 09)
- Re: SSH 1.x and 2.x Daemon Casper Dik (Feb 11)
- Re: SSH 1.x and 2.x Daemon Kevin Vajk (Feb 12)
- Rainbow Six Buffer Overflow..... Brian Gemberling (Feb 11)
- Re: SSH 1.x and 2.x Daemon Casper Dik (Feb 11)
- Access 97 Password Unmasker Nate Lawson (Feb 09)
- Lynx /tmp problem Juan Diego Bolanos (Feb 09)
- Re: Lynx /tmp problem Theo de Raadt (Feb 11)
- Re: Lynx /tmp problem Glynn Clements (Feb 12)
- Re: Lynx /tmp problem Piotr Klaban (Feb 15)
- <Possible follow-ups>
- Re: SSH 1.x and 2.x Daemon der Mouse (Feb 11)
- Re: SSH 1.x and 2.x Daemon Ronny Cook (Feb 11)
- Another Windows98 Bug... Scott (Feb 09)