LinuxQuestions.org - NCSA_Auth accepts any password as long as it begins with a valid password

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - NCSA_Auth accepts any password as long as it begins with a valid password (https://www.linuxquestions.org/questions/linux-software-2/ncsa_auth-accepts-any-password-as-long-as-it-begins-with-a-valid-password-939364/)

NCSA_Auth accepts any password as long as it begins with a valid password

Hi all,

I've noticed some odd behavior with my squid proxy server using authentication.

I'm using NCSA_Auth to do basic authentication and have a user/password set up (for example) as username=user, password=password.

The odd behavior noticed is that I can give it 'password1' or 'password12' as a password as well and it will accept and authenticate. It wont accept 'passwor' or 'pass' so it appears that if the first part of what enters matches the password, well, Bob's your uncle, you're in.

Has anyone encountered this with NCSA_Auth before? Is this considered normal?

Rory

That is almost certainly because you have hit the maximum length for a password, so only the first 8 characters matter. Try it with a shorter "good" password.

Have a read of this http://readlist.com/lists/squid-cach...ers/0/422.html, which is probably related to original Unix where the limit (before MD5) was 8 SIGNIFICANT chars for a passwd.
It would accept more during passwd creation, but only use 1st 8 chars for verification during login.