The problem with the password (security)

[x-myrza]

The problem with the password. For example, say I have a password with different characters and at the end one more character. For example, "QWERTY123!". I go to the server with two passwords: 1. "QWERTY123!" And 2. "QWERTY123". How can this be understood?
OS Debian 8 x64

[debiman]

i don't understand the question.
these are 2 different passwords, full stop.

also, you have chosen an extremely insecure password. i hope this is just an example.

[x-myrza]

Sorry for my bad english... Yes this is the password example. I enter the server with two passwords "QWERTY123!" & "QWERTY123"

[debiman]

"I enter the server" doesn't really tell me anything.
please provide much more information.
click on this link: http://catb.org/~esr/faqs/smart-questions.html
and read.

afaik, one user has one password.
what you are showing me are 2 different passwords.

[rovernut]

I suspect he means he set his password to QUERTY123! but can also log on with QUERTY123

Personally I've never seen that, but also never tried to do it.

[GarryRicketson]

The OP is not telling us enough, but my guess is something like this is going on.

https://tools.ietf.org/html/rfc4519#section-2.41RFC 4519 LDAP: Schema for User Applications June 2006


use a different password generated by some automated system. During
transitional periods, like the last and first day of the periods, it
may be necessary to allow two passwords for the two consecutive
periods to be valid in the system.

I found the above because I did not think this is possible, but it is :
Is it possible 2 different passwords could work for 1 user on linux
https://unix.stackexchange.com/question ... -passwords

An example of a need for multiple values in the 'userPassword' attribute is an environment where every month the user is expected to use a different password generated by some automated system. During transitional periods, like the last and first day of the periods, it may be necessary to allow two passwords for the two consecutive periods to be valid in the system.

More :

On the Linux side, nothing forbids to do it (here an account named testuser was given both pass1 and pass2 as userPassword attribute values):

Code: Select all

 $ uname -a
Linux lx-vb 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:16:28 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
$ grep VERSION /etc/os-release
VERSION="13.04, Raring Ringtail"
$ grep "^passwd" /etc/nsswitch.conf 
passwd: files ldap
$ ldapsearch -LLL -h localhost -p 1389 -D "cn=directory manager" -w xxxxxxxx "uid=testuser" userPassword
dn: uid=testuser,ou=People,dc=example,dc=com
userPassword:: e1NTSEF9b2JWYXFDcjhNQmNJVXZXVHMzbE40SFlReStldC9XNFZ0NU4yRmc9PQ==
userPassword:: e1NTSEF9eDlnRGZ5b0NhKzNROTIzOTFha1NiR2VTMFJabjNKSWYyNkN3cUE9PQ==
$ grep testuser /etc/passwd
$ getent passwd testuser
testuser:*:12345:12345:ldap test user:/home/testuser:/bin/sh
$ sshpass -p pass1 ssh testuser@localhost id
uid=12345(testuser) gid=12345 groups=12345
$ sshpass -p pass2 ssh testuser@localhost id
uid=12345(testuser) gid=12345 groups=12345
$ sshpass -p pass3 ssh testuser@localhost id
Permission denied, please try again. 

Sorry for my bad english... Yes this is the password example. I enter the server with two passwords "QWERTY123!" & "QWERTY123"

Why is it set up that way ?

I do not think it is something that could occur by accident,..maybe the OP should ask their system administrator, or server admin, how and why it has been setup this way.

by x-myrza » How can this be understood?

It didn't make sense to me, and I did not understand the question, I still don't understand the question very well, but doing a tiny bit of searching , helped me
understand how this is possible, how it could be accomplished, if that is what
the OP is asking, like wise it could be undone,...in fact more then likely after a couple of logins, the old password will no longer work, only the new one.
How can we understand when the OP does not tell us what they did to put the system into this state,? ...Again, if they didn't , Who did ?

[x-myrza]

I suspect he means he set his password to QUERTY123! but can also log on with QUERTY123

Yes it is

Personally I've never seen that, but also never tried to do it.

I happened to notice it. When I enter the password and I forgot the last character. So I went into the system. Then I rechecked the situation and it works.

Why is it set up that way ?
I do not think it is something that could occur by accident,..maybe the OP should ask their system administrator, or server admin, how and why it has been setup this way.
***
How can we understand when the OP does not tell us what they did to put the system into this state,? ...Again, if they didn't , Who did ?

I happened to notice it. This is a new system. The account and password are set when the system is installed. Since the account did not manipulate and did not change the password ever. When I enter the password and I forgot the last character. So I went into the system. Then I rechecked the situation and it works.

[stevepusser]

What is this server? Is it running Debian?

I can think of a situation where somehow "!" would be an invalid password character, so all the system is getting is the shorter version every time, but really have no idea how this could come about.

[x-myrza]

What is this server? Is it running Debian?

I can think of a situation where somehow "!" would be an invalid password character, so all the system is getting is the shorter version every time, but really have no idea how this could come about.

Linux alex 4.9.0-2-amd64 #1 SMP Debian 4.9.18-1 (2017-03-30) x86_64 GNU/Linux
Distributor ID: Debian
Description: Debian GNU/Linux 9.0 (stretch)
Release: 9.0
Codename: stretch

[Cefiar]

How are you logging into the system?
eg: Text or graphical.

Does the same thing happen with other tools (from a terminal) that require the users password?
eg: `su - $user`, 'sudo', etc.

[debiman]

i just tried

Code: Select all

sudo passwd debiman

and entered a password with an ! at the end, and I cannot reproduce op's behavior:
i cannot login (Login incorrect) when i leave out the '!'.
just like i said, these are 2 different passwords.

since op continually refers to "the server" - maybe they're not talking about a normal linux user password, but something else.

but even so, this behaviour seems extremely unlikely and i strongly suspect that the PEBKAC.

[x-myrza]

How are you logging into the system?
eg: Text or graphical.

Text in putty

Does the same thing happen with other tools (from a terminal) that require the users password?
eg: `su - $user`, 'sudo', etc.

No root

[x-myrza]

Understood!
Domain controller Windows login: x-myrza(password: qwerty123)
Debian login: x-myrza(password:qwerty123!)
Debian installed kerberos for authentication AD. Because of the same login. But other AD users do not enter. I apologize for the disturbance.

[Cefiar]

This was written before the user replied mentioning that they're using an AD, and are using AD auth. Of course the issue here is that AD auth is tried first, and if that fails, it uses local auth, which apparently have similar but different passwords.

Below is the original reply as it might prove useful to someone.

Original reply:

Try running the following command as root:

# grep ^root: /etc/shadow | cut -d: -f2 | cut -d$ -f2

This should return a single digit number, which says what encryption/hash method your root password is stored in.

Here's a quick list of which method was used (not an exhaustive list):
1 MD5
2 Blowfish
2a eksBlowfish
5 SHA-256
6 SHA-512

Really, if it doesn't return 6, then I suspect that there's a configuration issue somewhere. I would suggest changing the password using `passwd root` and re-run the command to see if it's still a problem.

If it returns the whole line (ie: no $ was found), or returns an error about the file not being found, then you've got other issues, such as the system not using /etc/shadow for passwords. If you're using some method of external authentication (eg: ldap) then you need to look at why that has these problems. To be honest though, using anything external for root seems pretty weird to me, as then you can't get in if the auth method is down.

[debiman]

AD = active directory? some microsoft thing?
no experience with that, sorry.

but when I saw "putty" I thought, that's where I'd put my efforts.
no experience with putty either, unfortunately, but I've seen reports that certain character sequences do not work as expected when translated through putty to a linux server.

but a simple exclamation mark?
no, only microsoft is able of something like that.

[x-myrza]

AD = active directory? some microsoft thing?
no experience with that, sorry.

Yes. A server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software.

but when I saw "putty" I thought, that's where I'd put my efforts.
no experience with putty either, unfortunately, but I've seen reports that certain character sequences do not work as expected when translated through putty to a linux server.

Putty is for me the most convenient client for managing ssh.

but a simple exclamation mark?
no, only microsoft is able of something like that.

Of course the issue here is that AD auth is tried first, and if that fails, it uses local auth, which apparently have similar but different passwords.
Debiman thank you very much for your help!

[debiman]

Putty is for me the most convenient client for managing ssh.

for windows maybe.