The DF Lab

At work today, I came upon a startling revelation when I typed in a 20+ character password on our Ubuntu server. I typed in the password, not sure I got it quite right, and got in. I thought I typed it in right, and obviously I did. But I wasn’t sure, since our passwords are complicated. So I exited, typed it in again, but typed it intentionally differently. And It logged in.

As it turns out, after the first 8 characters, I could have put in anything at all, and the login would work. I was shocked that such a strange security issue would come up on a mostly stock-configured Ubuntu 8.04 server. In fact, it was better than stock configured, as I already had to do a bunch of configurations to secure it.

As it turns out, the problem lied with the way PAM was authenticating (or something). I went and checked that my configurations were right (you should have “md5″ in a “password” line where commented to do so in /etc/pam.d/common-password). Then, after doing some more poking around online, I found an Ubuntu forum post that mentioned that in /etc/shadow, if any given password has $1$ at the beginning, it’s using MD5. Upon looking at my shadow file, it turned out that one of my users (the one with the issue) was somehow not using MD5. I don’t quite know how that happened, but I’m going to guess that I configured PAM for MD5 after last setting his password. At least that’s my best guess.

To fix the issue, I just used passwd to change the password for the given user, and it properly took on its MD5 encryption. I hope this proves useful to someone in the future!

linux linux, security, ubuntu