# Only first 8 characters of password are checked with ssh!

## meulie

Hi all,

A problem on a box of mine here... When I ssh in only the first 8 characters of my password are checked. As long as those are correct, I get in (no matter what the 9th-nth character are that I enter...)

ssh seems to be the only authentication having this problem at the moment. When I for example use 'su', my entire password has to be correct...

----------

## DrWilken

Are You using PAM authentication with SSH...?

Please post Your /etc/pam.d/sshd file and also Your /etc/ssh/sshd_config file...  :Smile: 

Also try running this:

```

# grep PASS_MAX_LEN /etc/login.defs

```

----------

## meulie

/etc/pam.d/sshd:

```
auth       include      system-remote-login

account    include      system-remote-login

password   include      system-remote-login

session    include      system-remote-login
```

/etc/ssh/sshd_config:

```
Protocol 2

PermitRootLogin no

PasswordAuthentication no

UsePAM yes

Subsystem       sftp    /usr/lib64/misc/sftp-server

DenyGroups deniedssh
```

grep PASS_MAX_LEN /etc/login.defs:

```
#PASS_MAX_LEN           8       (NOT SUPPORTED WITH PAM)
```

Does this shed more light on my problem?

----------

## DrWilken

 *meulie wrote:*   

> /etc/pam.d/sshd:
> 
> ```
> auth       include      system-remote-login
> 
> ...

 

Sadly... No...  :Sad: 

----------

## meulie

Anyone?

I would like my system as secure as possible, and this limited password check is not helping...    :Cool: 

----------

## vaguy02

Are you using DES challenge-response for SSH? I vaguely remember something about DES C-R only accepting up to 8 characters but I could be wrong...... I will google a little bit and write back.

----------

## vaguy02

Yep, DES only supports 8 characters.

 *Quote:*   

> No more than 8 characters - extras are ignored 

 

http://www.hackinglinuxexposed.com/articles/20030323.html

----------

## meulie

How do I make it more secure?

----------

## outermeasure

 *meulie wrote:*   

> How do I make it more secure?

 

Use Public Key Authentication instead...

----------

## desultory

Even better in addition.

----------

## meulie

What is the default/recommended config that ships with Gentoo nowadays?

----------

