6
0
I just logged into my Linux machine on the account ender
on two passwords. Both passwords work! How is it possible?
I'm using latest Ubuntu 9.10.
6
0
I just logged into my Linux machine on the account ender
on two passwords. Both passwords work! How is it possible?
I'm using latest Ubuntu 9.10.
12
Are both passwords more than 8 characters long? Some password backends respect only the first 8 characters of a password...
I'd completely forgotten about that! I wonder if Ubuntu's SSH server is old enough to fizzle there. – Trevoke – 2010-02-04T20:43:27.517
It is not the SSH server but rather the hash function used. – user1686 – 2010-02-04T21:10:24.197
Yes,they're both more than 8 characters, and they both start with the same 8 characters. – Alex – 2010-02-04T21:17:01.387
Wow, you're right. I tried other passwords that start with the same 8 chars, and it works. – Alex – 2010-02-04T21:18:04.677
Hah. I did that once with Solaris...I thought I was being SO secure, and it turned out that my hilariously long 32 character password was only 8 characters long. – Satanicpuppy – 2010-02-04T22:12:25.147
Do you see something in
/var/log/auth.log
about both of them? What does it say? – ℝaphink – 2010-02-04T20:21:06.8672What is account 'ender' ?
What were the two passwords (if we can know) -- otherwise, how different are they, what are the md5 like?
From where did you log on (tty, vty, sty, su, su - .... ) ? What's the line like in /etc/shadow ? – Trevoke – 2010-02-04T20:23:13.540
Ender has sudoer ALL. I logged in from Putty, simple. The line is like this (with letters changed) .... ender:7.P22C5bQli72:14549:0:99999:7::: – Alex – 2010-02-04T20:30:25.100
So you logged in via SSH ? What kind of authentication scheme are you using for SSH ? Maybe it allows incoming connections from your username at your local IP ? SSH authentication isn't a topic I know very well, I prefer locking it down more than opening it up. – Trevoke – 2010-02-04T20:37:27.220
Yep, it's SSH. Other passwords don't work. just those 2 :) – Alex – 2010-02-04T20:39:24.720
Now it's time to follow Raphink's path - what's up with /var/log/auth.log ? – Trevoke – 2010-02-04T20:40:52.203
Maybe passwordless login is enabled ? http://www.biostat.jhsph.edu/bit/nopassword.html
– Sathyajith Bhat – 2010-02-04T20:47:25.090Have you tried typing both passwords into notepad or a text editor to make sure they're actually coming out different? – user229044 – 2010-02-04T20:52:59.180