KDM and security

[zentek]

He guys did any of you, using kdm, did ever realise that its making the authentification on the first 8 characters of your password and that its ignoring all the rest.

I never realize this before ( maybe its was not working this way before ).
I know by experience some old unix system will no handle password longer tha 8chrs but its not the case for gentoo ( login in prompt is all fine ).

Now the questions are: should we open a bug report for that? and is that there for compatibility whit other unix flavor that are not handling longer pasword ? or simply im just to dum to fix it myself and its a config option.

I will investigate on this and post my result but i will be happy to get you comment about this

[mglauche]

I think its a limitation of the unix system. The default crypt can't handle passwords more than 8 characters.

Now the interesting question would be is this also true for md5 ?

(besides, if you use md5 hashes and 8 character password, with mixed case, numbers and special chars, you are reasonably save md5 is quite slow, so a brute force attack against a good password is hopeless... (until someone builds a massive parallel md5 encrypter, which happened with DES crypt ))

[zentek]

For now i dont think about a limitation of the unix system cause evrywhere else on my machine its working fine ...

The texte mode login dont let me authenticate whit a shorter password ... same in KDE when you need to run an app whit ROOT right ( like changing the time ) .. its only that "blip -> explicitly deleted" KDM that is doing this ..... Its being a while that linux is handeling longer password.

Even network login is working (ssh, ftp) thank god !!!

[zentek]

Im a dumbass ... i found the problem

Just taught i should post it

When you create an account the kde util kuser ist not using md5 for your password .. so dont use that !!!!

use adduser in console ... works alot better or create your account and change it whit passwd in console