Long passwords with Telnet

Users at my company require Telnet access to a Fedora Core 3 box I'm
currently setting up. Telnet works fine, as long as their password is
shorter than 8 characters. If it is longer than 8 characters, Telnet
won't accept it.

On the same machine, SSH works fine with any length password.

Anyone know how to fix this?

Thanks,
Chris Ott
Acclamation Systems
first initial, last name at acclamation dot com

Chris Ott <one@two.three> wrote in news:cpsjls$1vkv$1@news.aspstation.net:

> Telnet
> won't accept it.
>
> On the same machine, SSH works fine with any length password.
>
> Anyone know how to fix this?


Do a "man sshd" and you will see that it works with many different
authentication protocols. Do a "man telnetd" to see if your telnet can run
with, or be compiled with, support for one of those. If not then search
online to see if a telnetd replacement is available for your OS.

Gandalf Parker

Chris Ott <one@two.three> wrote:
> Users at my company require Telnet access to a Fedora Core 3 box I'm
> currently setting up. Telnet works fine, as long as their password is
> shorter than 8 characters. If it is longer than 8 characters, Telnet
> won't accept it.

> On the same machine, SSH works fine with any length password.

It's possible to snarf network traffic on one's LAN (yes, even with a
switched ethernet environment), and telnet transmits passwords in the
clear. So is there any (technical) point in enforcing long passwords
for telnet sessions?

Food for thought. Maybe.
Chris

Gandalf Parker wrote:
> Chris Ott <one@two.three> wrote in news:cpsjls$1vkv$1@news.aspstation.net:
>
>
>>Telnet
>>won't accept it.
>>
>>On the same machine, SSH works fine with any length password.
>>
>>Anyone know how to fix this?
>
>
>
> Do a "man sshd" and you will see that it works with many different
> authentication protocols. Do a "man telnetd" to see if your telnet can run
> with, or be compiled with, support for one of those. If not then search
> online to see if a telnetd replacement is available for your OS.
>
> Gandalf Parker

Actually, I went through the source and, as far as I can tell,
username/password authentication is handled by the "login" program. I
started going through that, but when I'm finding things like:

typedef struct pam_handle pam_handle_t;

with no cooresponding definition for "struct pam_handle", I have to
believe that either I haven't been doing enough programming, lately, or
I'm going blind.

My guess (though it may be obvious) is that someone just trimmed the
password to 8 characters, somewhere between user input and the DES
encryption. Then, when it gets encrypted, it's not the same password,
anymore.

Chris Ott
Acclamation Systems
first initial, last name at acclamation dot com

chris-usenet@roaima.co.uk wrote:
> Chris Ott <one@two.three> wrote:
>
>>Users at my company require Telnet access to a Fedora Core 3 box I'm
>>currently setting up. Telnet works fine, as long as their password is
>>shorter than 8 characters. If it is longer than 8 characters, Telnet
>>won't accept it.
>
>
>>On the same machine, SSH works fine with any length password.
>
>
> It's possible to snarf network traffic on one's LAN (yes, even with a
> switched ethernet environment), and telnet transmits passwords in the
> clear. So is there any (technical) point in enforcing long passwords
> for telnet sessions?
>
> Food for thought. Maybe.
> Chris

I'd be perfectly okay if the system ignored anything after the eighth
character in a password. The problem is that it's impossible for people
to log in *at all*, if their password is longer than eight characters.

Chris Ott
Acclamation Systems
first initial, last name at acclamation dot com

Chris Ott <one@two.three> wrote in news:JJDwd.515249$wV.327111@attbi_s54:

> My guess (though it may be obvious) is that someone just trimmed the
> password to 8 characters, somewhere between user input and the DES
> encryption. Then, when it gets encrypted, it's not the same password,
> anymore.


That is the way it used to work. Test it. I used to be able to put in as
long as password as I wanted to as long as the first 8 characters matched
for my password.

I really expected someone to have added the other encryptions in by now. At
least on some 3rd party suitable substitute.

Gandalf Parker

Gandalf Parker wrote:
> Chris Ott <one@two.three> wrote in news:JJDwd.515249$wV.327111@attbi_s54:
>
>
>>My guess (though it may be obvious) is that someone just trimmed the
>>password to 8 characters, somewhere between user input and the DES
>>encryption. Then, when it gets encrypted, it's not the same password,
>>anymore.
>
> That is the way it used to work. Test it. I used to be able to put in as
> long as password as I wanted to as long as the first 8 characters matched
> for my password.

Already did. As I mentioned in a reply to someone else, I'd be perfectly
okay if the system ignored anything after the eighth character in a
password. The problem is that it's impossible for people to log in *at
all*, if their password is longer than eight characters.

Chris Ott
Acclamation Systems
first initial, last name at acclamation dot com

Chris Ott <one@two.three> wrote in news:ByFwd.210557$V41.98939@attbi_s52:

> Already did. As I mentioned in a reply to someone else, I'd be perfectly
> okay if the system ignored anything after the eighth character in a
> password. The problem is that it's impossible for people to log in *at
> all*, if their password is longer than eight characters.
>

Thats because the 8-character result wont match what is in the password
part of the shadow file. If my password is really 12345678 then I can type
in 1234567890 and it will work because it gets trimmed to 12345678 before
making the comparison. But if my password is really 12345678abc and I type
in 12345678 then it will not match. You can type in as long a string at the
password prompt as you want. That will get trimmed, but it cant trim the
passwd file entry

Gandalf Parker

>> Already did. As I mentioned in a reply to someone else, I'd be
>> perfectly okay if the system ignored anything after the eighth
>> character in a password. The problem is that it's impossible for
>> people to log in *at all*, if their password is longer than eight
>> characters.
>>
>
> Thats because the 8-character result wont match what is in the
> password part of the shadow file. If my password is really 12345678
> then I can type in 1234567890 and it will work because it gets trimmed
> to 12345678 before making the comparison. But if my password is really
> 12345678abc and I type in 12345678 then it will not match. You can
> type in as long a string at the password prompt as you want. That will
> get trimmed, but it cant trim the passwd file entry

If MD5 / shadow passwords are being used, password length shouldn't be an
issue. Last time I played around with password checking functions, it
seemed like any system using hashes didn't have to consider length at all.

--
Jem Berkes
Windows, UNIX software and system design
http://www.pc-tools.net/