> a simple question about xdm :
>
> my root password is ... say "toto". when i try to login
> with password "totoxxx", it works. The xdm login
> only compares characters from the begining, to the end of
> the password. is it normal ???
It shouldn't be that way for your root password as "toto", but let's
say your root password was "wizardoz". Then "wizardos_is_a_fraud"
would work, because anything past 8 letters is ignored.
In fact, the scenario that you describe -couldn't- happen, unless login
on xdm was severely broken (try using "dorothy" as a password instead
of "toto", if you can get in, then you know it's broken :-( ). What
login (and xdm, etc) do is take the passwork you type, hash the first 8
characters with a one-way hash function, and compare that with the
stored, previously hashed password. The original password is lost --
it exists in the memory of passwd, login, xdm, and so on the bare
minimum they need to do their job, then it is destroyed, to prevent
snoopers. Since all xdm has to play with is a previously hashed value,
it -can't- tell that the password "toto" is only 4 characters long. It
can only tell that "totoxxx" hashes to the same value as "toto". Given
the way that the hash function is designed, I think (but I am not
certain) that that is mathematically impossible (but at the least, it
it highly improbable).
I just tried it on my system, and I was able to su to root by using the
password "scarecro" instead of the complete "scarecrow" (and, no, that
isn't the root password on my system, but mine is longer than 8
characters), so the 8 character limit is still live on Debian systems.
Theoretically, we should be able to "pay no attention to the crypt()
behind the login", but maintaining compatability with other systems
forces us to use the same crypt() Unix has been using for decades.
This limits us to only 8 significant characters. How many utilities
would have to be changed to implement the following password logic:
If the stored hash is 13 characters long, use crypt().
If it is 32 characters long, use md5sum().
Otherwise, fail.
This would allow us to retain backwards compatability while potentially
increasing the security of the system by allowing arbitrarily long
passwords.
>
> thanks,
>
> Richard
>
--
Buddha Buck [EMAIL PROTECTED]
"Just as the strength of the Internet is chaos, so the strength of our
liberty depends upon the chaos and cacaphony of the unfettered speech
the First Amendment protects." -- A.L.A. v. U.S. Dept. of Justice
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]
