For reference: We're using SHA512 as our password hashing algorithm for /etc/shadow. To quote the relevant configs:<br />
<br />
# grep -i sha512 /etc/login.defs /etc/sysconfig/authconfig /etc/pam.d/system-auth<br />
/etc/login.defs:ENCRYPT_METHOD SHA512 <br />
/etc/sysconfig/authconfig:PASSWDALGORITHM=sha512<br />
/etc/pam.d/system-auth:password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok<br />
<br />
Whenever a password with a length of >79 characters is set, SSH logins don't work with that password. If the password is shortened to 79 characters on the client when logging in, it effectively works, which proves that obviously passwd has shortened the password before feeding it into the hashing algorithm.<br />
<br />
As users have the reasonable expectation that if they successfully set a password, that they can log in with exactly that password later, I'd regard that silent input cropping as a bug. If there really is a limit on input length, passwd should loudly fail telling "password too long".
↧