Serious security risk with Lish
Since I'm very concerned with security and Lish allows password authentication I decided to get an extra-strong password.
Accordingly to Web Linode Manager: "Passwords must be alphanumeric and/or punctuation, 6-16 characters in length." So I chose a password with 12 characters, pretty random.
The problem is, whenever I login to Lish, it grants me access after the first 8 characters!!
Example:
I set my password to: lInOdE-lIsh-007
Then if I enter: lInOdE-l
I'm already in!
Please, try for yourself. Well, this is not very serious, but a stronger password, with the 16 characters advertised would be away better.
5 Replies
We'll get this fixed ASAP.
-Chris
Good catch, though.
hotgazpacho, the problem is, what's the point in having a extra-secure lock in a door for which you have the key, when your house has simple glass windows (and you live on the ground floor)?
I might use a SSH Public Key, but since it's impossible to disable password logins, it doesn't enforce security.
Well, I have direct SSH login enabled to my machine and there I'm using SSH Keys with Passphrase, since I disabled password login.
Thanks for letting us know about this.
-Chris
If so, should there perhaps be an advisory on the blog?