The local crypt() may support hash types which use more than the first 8 characters. It also doesn't modify the input string, so we should just stop truncating it. --- krb5-1.2.7/src/appl/bsd/login.c 2005-11-15 16:20:34.000000000 -0500 +++ krb5-1.2.7/src/appl/bsd/login.c 2005-11-15 16:20:29.000000000 -0500 @@ -461,17 +461,14 @@ int unix_passwd_okay (pass) char *pass; { - char user_pwcopy[9], *namep; + char *namep; char *crypt (); assert (pwd != 0); - /* copy the first 8 chars of the password for unix crypt */ - strncpy(user_pwcopy, pass, sizeof(user_pwcopy)); - user_pwcopy[sizeof(user_pwcopy) - 1]='\0'; - namep = crypt(user_pwcopy, salt); - memset (user_pwcopy, 0, sizeof(user_pwcopy)); - /* ... and wipe the copy now that we have the string */ + namep = crypt(pass, salt); + if (strlen(namep) < 13) + return 0; /* verify the local password string */ #ifdef HAVE_SHADOW