6
0
I just logged into my Linux machine on the account ender on two passwords. Both passwords work! How is it possible?
I'm using latest Ubuntu 9.10.
Alex
Posted 2010-02-04T20:14:32.657
Reputation: 1 751
How is it possible that I can log into my account with two different passwords?
Answers
12
Are both passwords more than 8 characters long? Some password backends respect only the first 8 characters of a password...
Jon Lasser
Posted 2010-02-04T20:14:32.657
Reputation: 1 267
I'd completely forgotten about that! I wonder if Ubuntu's SSH server is old enough to fizzle there. – Trevoke – 2010-02-04T20:43:27.517
It is not the SSH server but rather the hash function used. – user1686 – 2010-02-04T21:10:24.197
Yes,they're both more than 8 characters, and they both start with the same 8 characters. – Alex – 2010-02-04T21:17:01.387
Wow, you're right. I tried other passwords that start with the same 8 chars, and it works. – Alex – 2010-02-04T21:18:04.677
Hah. I did that once with Solaris...I thought I was being SO secure, and it turned out that my hilariously long 32 character password was only 8 characters long. – Satanicpuppy – 2010-02-04T22:12:25.147
Do you see something in
/var/log/auth.logabout both of them? What does it say? – ℝaphink – 2010-02-04T20:21:06.8672What is account 'ender' ?
What were the two passwords (if we can know) -- otherwise, how different are they, what are the md5 like?
From where did you log on (tty, vty, sty, su, su - .... ) ? What's the line like in /etc/shadow ? – Trevoke – 2010-02-04T20:23:13.540
Ender has sudoer ALL. I logged in from Putty, simple. The line is like this (with letters changed) .... ender:7.P22C5bQli72:14549:0:99999:7::: – Alex – 2010-02-04T20:30:25.100
So you logged in via SSH ? What kind of authentication scheme are you using for SSH ? Maybe it allows incoming connections from your username at your local IP ? SSH authentication isn't a topic I know very well, I prefer locking it down more than opening it up. – Trevoke – 2010-02-04T20:37:27.220
Yep, it's SSH. Other passwords don't work. just those 2 :) – Alex – 2010-02-04T20:39:24.720
Now it's time to follow Raphink's path - what's up with /var/log/auth.log ? – Trevoke – 2010-02-04T20:40:52.203
Maybe passwordless login is enabled ? http://www.biostat.jhsph.edu/bit/nopassword.html
– Sathyajith Bhat – 2010-02-04T20:47:25.090Have you tried typing both passwords into notepad or a text editor to make sure they're actually coming out different? – user229044 – 2010-02-04T20:52:59.180