Problem

BoKS allows you to set the maximum password length. BCC does not handle truncation at the maximum correctly and will give misleading error messages.

For example:

If you have the maximum password length set to 8 characters (the BoKS default), and set a user's password to 9 characters, e.g.:

monkey123

and login via telnet, console, ssh, etc, the password will be accepted because it gets truncated at the 8th character (monkey12) and then is passed to BoKS where the match is made.

In BCC, this behavior is different. BCC does not truncate the password before sending it to BoKS to validate. If the user enters the full password (monkey123), the login to BCC will fail and the BoKS error log will indicate "wrong password" -- but the user typed in the password they think is valid because it works when using other login methods. If the user types in "monkey12", they will be able to log in to BCC.

This can be confusing for the user and difficult for the BoKS administrator to troubleshoot.

Solution

Upgrade to BoKS 7.0 or higher where this issue has been addressed.

Workaround

Set the maximum allowed password for the domain to a limit higher than users are likely to use. For example:

BoKS# bksdef -M 70

This will help ensure that password truncation isn't an issue, and will also permit much stronger passwords than the default (8 characters) can support. Note that on legacy systems, or systems still using DESCRYPT, usable password length will still be limited to 8 characters.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: June 28, 2019