Project

General

Profile

Bug #589

Security issue amahi admin password is not recognising anything longer then 8 characters

Added by merlyn over 10 years ago. Updated almost 10 years ago.

Status:
Assigned
Priority:
Medium
Assignee:
Category:
-
Target version:
-
Start date:
07/31/2010
Due date:
% Done:

0%


Description

using fedora f12 dvd install only.
root password is ALWAYS secure.
when doing a fedora 12 install you must create a user / password. This is also secure until your first HDA login.
the moment you type in HDA you MUST change the amahi user password. From this moment on this password
is not using more the 8 characters.

for example ...
if your password for the Amahi admin user is temporarY123

before you type HDA initially you must use the full password.
The moment you type HDA and change your password all of the following is acceptable.

temporar
temporarY123
temporarthequickbrownfoxjumpedoverthelazydog
temporar111111111111111111222222222222222222222222222223333333333333333333333333333etc

all 4 of the above passwords are acceptable to log me into the amahi admin username.
this includes the local desktop if i am not running headless
ssh using putty etc
or of course the hda webpage / setup etc.
again root pass is always secure

My guess is whatever script is collecting the old password and creating the new password is for some
reason set to truncate anything after 8 characters.

i have done at least 5 installs and this is repeatable everytime.
i have tried a yum update and nothing changed in this behavior.
since the express cd install does not require the username creation i assume it is not involved in this bug, but i have not tested.

History

#1 Updated by cpg almost 10 years ago

  • Status changed from New to Assigned
  • Assignee set to cpg

Hmm, this seems to appear to apply with ssh services as well, which is very troublesome!

Also available in: Atom