Insufficient password length management

[stoeckmann]

The login.defs file contains the two fields PASS_MAX_LEN and PASS_MIN_LEN.

PASS_MAX_LEN

The example etc/login.defs states:

#
# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# Ignored if MD5_CRYPT_ENAB set to "yes".
#
#PASS_MAX_LEN           8

Contrary to its description, PASS_MAX_LEN is only considered if the encryption method is DES. You can easily test this by using e.g. MD5, YESCRYPT etc. and change the password with passwd and enter a password which is longer than the configured maximum length.

Yet, the maximum length is actually capped. The agetpass function supplied by shadow allows up to PASS_MAX characters (definition in C file, not configurable). Yet passwords are already silently truncated at 199 characters due to internal limit in passwd.

PASS_MIN_LEN

If PASS_MIN_LEN is not set login.defs, then an invalid message is printed in passwd:

Proof of Concept even if PAM support is compiled in (run as root):

# passwd -P /.
Changing password for root
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New password:

According to this message, a minimum of 5 characters is in place. But in fact, empty passwords are allowed as well. This happens because src/ and lib/ use different default values if PASS_MIN_LEN does not exist.