bugzilla-daemon at mindrot.org
2003-Jun-30 23:39 UTC
[Bug 609] empty password accounts can login with random password
http://bugzilla.mindrot.org/show_bug.cgi?id=609 Summary: empty password accounts can login with random password Product: Portable OpenSSH Version: 3.6.1p2 Platform: ix86 OS/Version: Linux Status: NEW Severity: security Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: advax at triumf.ca A RedHat 9.0 system (with RedHat's openssh-server-3.5p1-6) is configured with "PermitEmptyPasswords no". An account is created with an empty password (null in /etc/shadow). The intent is to allow console logins only. This works on A RedHat 8.0 system with OpenSSH openssh-server-3.4p1-2. SSH logins with an empty password are indeed blocked (unless "PermitEmptyPasswords yes" is set). However, any random password will allow login. On RedHat 8, it won't. I notice that if I list allowed remote users in "AllowUsers" then I can block the local-only user, which provides a workaround (or may be a better solution than just blocking empty passwords) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Jun-30 23:55 UTC
[Bug 609] empty password accounts can login with random password
http://bugzilla.mindrot.org/show_bug.cgi?id=609 ------- Additional Comments From dtucker at zip.com.au 2003-07-01 09:55 ------- Can you reproduce this with vanilla openssh-3.6.1p2 (eg from ftp.ca.openbsd.org ) configured --with-pam? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Jul-01 00:37 UTC
[Bug 609] empty password accounts can login with random password
http://bugzilla.mindrot.org/show_bug.cgi?id=609 ------- Additional Comments From matthewg at zevils.com 2003-07-01 10:37 ------- I think that bug #611 might be the cause of this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Jul-01 00:38 UTC
[Bug 609] empty password accounts can login with random password
http://bugzilla.mindrot.org/show_bug.cgi?id=609 matthewg at zevils.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matthewg at zevils.com ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Jul-01 01:00 UTC
[Bug 609] empty password accounts can login with random password
http://bugzilla.mindrot.org/show_bug.cgi?id=609 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From djm at mindrot.org 2003-07-01 11:00 ------- RTFM, or get your distributor to: http://www.openssh.com/faq.html#3.2 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Jul-01 01:03 UTC
[Bug 609] empty password accounts can login with random password
http://bugzilla.mindrot.org/show_bug.cgi?id=609 ------- Additional Comments From dtucker at zip.com.au 2003-07-01 11:03 ------- As a workaround, you could give your no-password user a shell that's not listed in /etc/shells. This will cause sshd to deny the connection attempt very early in the authentication process. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Jul-01 01:10 UTC
[Bug 609] empty password accounts can login with random password
http://bugzilla.mindrot.org/show_bug.cgi?id=609 ------- Additional Comments From djm at mindrot.org 2003-07-01 11:10 ------- There is no need for an additional workaround - one must remove the "nullok" flag in the PAM conf. Really, the bug is in PAM itself. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Jul-01 04:23 UTC
[Bug 609] empty password accounts can login with random password
http://bugzilla.mindrot.org/show_bug.cgi?id=609 ------- Additional Comments From advax at triumf.ca 2003-07-01 14:23 ------- OK, after messing around trying 3.6.1p2 I realize I had a "DenyUsers" line in sshd_config on the RedHat 8 system which I had forgotten about. The RedHat sshd.pam does not have nullok but it is chained to system-auth which does. I guess unchaining it might work but I don't want to depart too much from the stock distro especially in things I don't really understand (like PAM) So the issue is that PermitEmptyPasswords is ignored if PAM is used. If PAM is really broken like this then maybe a note in the sshd_config manpage is in order. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Damien Miller
2003-Jul-01 05:18 UTC
[Bug 609] empty password accounts can login with random password
On Tue, 1 Jul 2003 bugzilla-daemon at mindrot.org wrote:> http://bugzilla.mindrot.org/show_bug.cgi?id=609 > > > > > > ------- Additional Comments From advax at triumf.ca 2003-07-01 14:23 ------- > OK, after messing around trying 3.6.1p2 I realize I had a "DenyUsers" line > in sshd_config on the RedHat 8 system which I had forgotten about. > The RedHat sshd.pam does not have nullok but it is chained to system-auth > which does. I guess unchaining it might work but I don't want to depart > too much from the stock distro especially in things I don't really understand > (like PAM) > > So the issue is that PermitEmptyPasswords is ignored if PAM is used. > If PAM is really broken like this then maybe a note in the sshd_config manpage > is in order. > > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > > _______________________________________________ > openssh-bugs mailing list > openssh-bugs at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-bugs >
Possibly Parallel Threads
- [Bug 609] empty password accounts can login with random password
- [Bug 611] Unnecessary authentication attempt in auth2-none.c creates delay
- [Bug 1468] New: sshd does not log failed attempts using key-based authentication only
- Protocol negotiation issue in rsync
- [patch] Headers, unresolved footnotes, and fractions