ssh - why can I login with partial passwords?

In the chat, it turned out the system was using traditional (non-shadow) password storage and traditional Unix password hashing algorithm. Both are poor choices in today's security environment.

Since the traditional password hashing algorithm only stores and compares the first 8 characters of the password, that explains the behavior noticed in the original question.

The posted sshd output includes the line:

Could not get shadow information for user

I would assume this means at least sshd (or possibly the PAM Unix password storage library) on this system includes shadow password functionality, but for some reason, the system vendor has chosen not to use it.


In a BusyBox based distribution, as one built with Yocto usually is, this can perhaps be fixed by enabling the appropriate options in the BusyBox config. This solution assumes that you've got the recipes and are able to build your own, adapted OS image, or at least a fitting BusyBox binary. It also needs advanced cryptographic hashing algorithms (at least SHA-256, better SHA-512) being available (from libc).

In the BusyBox configuration, set

  • Login/Password Management Utilities
    • Support for shadow passwords → enabled
    • Use internal crypt functions → disabled
    • Default password encryption methodsha512 or sha256

Additionally the contents of /etc/passwd and /etc/shadow have to be adapted, e. g. using the command line tools of the enhanced BusyBox build (passwd, mkpasswd, chpasswd), or setting them during the image build with EXTRA_USERS_PARAMS:

EXTRA_USERS_PARAMS = " \
    usermod -p '\$6\$<salt>\$<encrypted_pwd>' root; \
    useradd -m -s /bin/sh -G … -u … -p '…' <username>; \
    "