HPE Community
Operating System - HP-UX
1753500 Members
4359 Online
108794 Solutions
New Discussion

hpux ftp allows incorrect password

 
SOLVED
Go to solution
jesc516
Occasional Contributor

‎10-27-2015 01:05 PM

‎10-27-2015 01:05 PM

hpux ftp allows incorrect password

hello,

 

i created a group called ftpgroup with one user; ftpuser. i set the default shell for ftpuser in /etc/passwd to /usr/bin/false after creating the file /etc/shells.

 

i set the password using passwd ftpuser.

 

i typed in the wrong password in a script i have to downfile a file and modify it and i was able to login. after a few login tests i came to realize that only the first 9 characters of the password are being validated. meaning if the first 9 characters are correct i can type in anything else after and it allows me to login.

 

the password format is xxxx xxxx xxxx but as long as i type in xxxx xxxx im allowed to login. i can type in xxxx xxxxabcdefgh123 and im allowed to login. the password is a 3 word format with spaces in between. why does this occur?

0 Kudos
Reply
3 REPLIES 3
Dennis Handly
Acclaimed Contributor

‎10-27-2015 05:58 PM

‎10-27-2015 05:58 PM

Solution

Re: HP-UX ftp truncates password to 8 chars

> I realized that only the first 9 characters of the password are being validated. 

 

The standard passwords are only up to 8 chars long.  Not sure how you got 9?

 

http://h30499.www3.hp.com/t5/tag/long%20passwords/tg-p

http://h30499.www3.hp.com/t5/Security/How-does-one-enable-long-password-on-HP-UX-11-31/m-p/6365595

0 Kudos
Reply
Bill Hassell
Honored Contributor

‎10-27-2015 06:24 PM

‎10-27-2015 06:24 PM

Re: hpux ftp allows incorrect password

>> i set the password using passwd ftpuser.

 

Standard security is hard limited to 8 characters. The passwd command allows you to set any passwd length but silently throws away everything you typed in after the 8th character. Similalrly, when you login with a long password, everything after 8 characters is silently ignored.

This has been the case for more than 30 years and one of the many reasons to switch to a Trusted System or Shadow Password or other security level for HP-UX.



Bill Hassell, sysadmin
0 Kudos
Reply
jesc516
Occasional Contributor

‎10-28-2015 09:17 AM

‎10-28-2015 09:17 AM

Re: HP-UX ftp truncates password to 8 chars

my apologies, i meant starting from the 9 character and forward was basically ignored.

 

im new to hpux administration but i looking into getting certified.  i would like to get more hands on as i mostly deal with the windows servers.

 

thank you

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.