LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   NCSA_Auth accepts any password as long as it begins with a valid password (http://www.linuxquestions.org/questions/linux-software-2/ncsa_auth-accepts-any-password-as-long-as-it-begins-with-a-valid-password-939364/)

Rory_L 04-11-2012 07:19 PM

NCSA_Auth accepts any password as long as it begins with a valid password
 
Hi all,

I've noticed some odd behavior with my squid proxy server using authentication.

I'm using NCSA_Auth to do basic authentication and have a user/password set up (for example) as username=user, password=password.

The odd behavior noticed is that I can give it 'password1' or 'password12' as a password as well and it will accept and authenticate. It wont accept 'passwor' or 'pass' so it appears that if the first part of what enters matches the password, well, Bob's your uncle, you're in.

Has anyone encountered this with NCSA_Auth before? Is this considered normal?



Rory

rknichols 04-12-2012 07:18 PM

That is almost certainly because you have hit the maximum length for a password, so only the first 8 characters matter. Try it with a shorter "good" password.

chrism01 04-12-2012 07:21 PM

Have a read of this http://readlist.com/lists/squid-cach...ers/0/422.html, which is probably related to original Unix where the limit (before MD5) was 8 SIGNIFICANT chars for a passwd.
It would accept more during passwd creation, but only use 1st 8 chars for verification during login.


All times are GMT -5. The time now is 04:06 PM.