Bugtraq mailing list archives
Re: SSH 1.x and 2.x Daemon
From: ronny () TMX COM AU (Ronny Cook)
Date: Fri, 12 Feb 1999 10:08:51 +1100
Date: Tue, 9 Feb 1999 13:46:09 -0500 From: "Greg A. Woods" <woods () MOST WEIRD COM>
[...]
No standard Unix 64-bit password can ever be encoded as anything but 11 characters plus 2 more for the "salt". Any field that is less than 13 characters can never match a valid password and will always result in a locked account. To be ultra careful any field longer than 13 characters should be searched for illegal characters, i.e. any non-alpha-numeric or not '.' and '/'. However in practice one can also assume that any field longer than 13 characters results in a locked account.
Just a couple of minor nitpicks. We don't want to go around overestimating the effectiveness of the standard UNIX password encryption algorithm, after all.:-) (1) DES password encryption uses a 56-bit key, not a 64-bit key. Yes, the first 8 characters of the password are used, but the high bits are discarded. (2) There is one special case where a "valid" DES-encrypted password field is *not* 13 characters long: when it is empty, indicating that no password need be supplied. This is obviously not recommended for accounts required to be secure, but there are reasons why it might be required. ...Ronny -- Ronald Cook, Technical Manager - Message Handling Systems/The Message eXchange Email: ronny () tmx com au ----- Phone: +61-2-9550-4448 ---- Fax: +61-2-9519-2551
Current thread:
- Re: SSH 1.x and 2.x Daemon, (continued)
- Re: SSH 1.x and 2.x Daemon Greg A. Woods (Feb 09)
- Re: SSH 1.x and 2.x Daemon Casper Dik (Feb 11)
- Re: SSH 1.x and 2.x Daemon Kevin Vajk (Feb 12)
- Rainbow Six Buffer Overflow..... Brian Gemberling (Feb 11)
- Re: SSH 1.x and 2.x Daemon Casper Dik (Feb 11)
- Access 97 Password Unmasker Nate Lawson (Feb 09)
- Lynx /tmp problem Juan Diego Bolanos (Feb 09)
- Re: Lynx /tmp problem Theo de Raadt (Feb 11)
- Re: Lynx /tmp problem Glynn Clements (Feb 12)
- Re: Lynx /tmp problem Piotr Klaban (Feb 15)
- Re: SSH 1.x and 2.x Daemon der Mouse (Feb 11)
- Re: SSH 1.x and 2.x Daemon Ronny Cook (Feb 11)
- Re: SSH 1.x and 2.x Daemon Greg A. Woods (Feb 09)