Serious security risk with Lish


Since I'm very concerned with security and Lish allows password authentication I decided to get an extra-strong password.

Accordingly to Web Linode Manager: "Passwords must be alphanumeric and/or punctuation, 6-16 characters in length." So I chose a password with 12 characters, pretty random.

The problem is, whenever I login to Lish, it grants me access after the first 8 characters!! :roll:


I set my password to: lInOdE-lIsh-007

Then if I enter: lInOdE-l

I'm already in!

Please, try for yourself. Well, this is not very serious, but a stronger password, with the 16 characters advertised would be away better.

5 Replies

The bug looks to be in chpasswd(8), which is an easily scriptable password changer. It looks to be using an older encryption algorithm that only cares about the first 8 characters.

We'll get this fixed ASAP.


If you're that concerned with security, why aren't you using you SSH Public Key to log in to LISH?

Good catch, though.

Thank you, caker.

hotgazpacho, the problem is, what's the point in having a extra-secure lock in a door for which you have the key, when your house has simple glass windows (and you live on the ground floor)?

I might use a SSH Public Key, but since it's impossible to disable password logins, it doesn't enforce security. :)

Well, I have direct SSH login enabled to my machine and there I'm using SSH Keys with Passphrase, since I disabled password login.

OK, it's now fixed (on subsequent password reset).

Thanks for letting us know about this.


Is it true that until an account password is reset, all users will still be hit by this?

If so, should there perhaps be an advisory on the blog?


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct