SSH password authentication failing depending on whether BoKS is active or not.


Logging in with SSH using password authentication works when BoKS is active, but may end up failing when BoKS is deactivated even though BoKS should allow all SSH logins in this state.

Resolution / Workaround

This could be caused by truncation of the typed in password that depends on BoKS activation.

The default setting for Maximum password length (which is set using either FCC or bksdef) is 8 characters.

If a client system is configured to use MD5 passwords, SHA512 or Blowfish, the system will allow longer passwords. If a user sets a longer password, BoKS truncates it to the 8 (or what maximum is set in BoKS database) prior to storing the password in the database and subsequent updating of /etc/shadow (and other similar) files on the system.

When BoKS is active, the typed in password is truncated before authentication. Thus when entering the long password, authentication succeeds. When BoKS is not active, the entire password string is hashed and compared, and thus authentication fails.

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: June 28, 2019