openssh bugs - Sep 2003 - [Bug 652] PermitEmptyPasswords option silently ignored

http://bugzilla.mindrot.org/show_bug.cgi?id=652

           Summary: PermitEmptyPasswords option silently ignored
           Product: Portable OpenSSH
           Version: 3.7.1p1
          Platform: All
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: steve at earth.ox.ac.uk


Having upgraded to 3.7.1p1 from 3.6.1p2 using the following configure options:-

./configure --sysconfdir=/etc --with-rsh=/usr/ucb/rsh --with-xauth=/usr/openwin/
bin/xauth --with-default-path=/bin:/usr/ucb:/usr/bin:/usr/local/bin --with-ipv4-
default --with-ssl-dir=/usr/local/ssl

I've discovered that sshd silently ignores the PermitEmptyPasswords option
in
the config file.

Researching further, it seems that the only place the option is referenced after
being set in auth-passwd.c, line 70 where the password has already been
requested from the user.

Unfortunately, even if a user merely hits RETURN at the passowrd prompt (s)he is
given the authentication fails for an account without a password.

If the functionality for NULL passwords has been removed on purpose then this
should be noted in the documentation and the configuration option should be
removed. Otherwise, this bug shold be fixed.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=652

hans at parse.nl changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|sshd                        |Build system



------- Additional Comments From hans at parse.nl  2003-09-18 00:50 -------
I can confirm this problem on Slackware 8.0 aswell. 3.7p1 compiled with
following options:

CFLAGS="-O2 -march=i386 -mcpu=i686 -Wall" ./configure --prefix=/usr
--sysconfdir=/etc/ssh --without-pam --with-md5-passwords --with-tcp-wrappers   
        
--with-default-path=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
--with-ipv4-default --with-privsep-path=/var/empty --with-privsep-user=sshd
i386-slackware-linux

PasswordAuthentication yes
PermitEmptyPasswords yes

user with empty password keeps getting password prompt. 

To fix the problem i temporarily reverted back to 3.6.1p2 with patch from
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106378044112153&w=2

will gather some more debug info later




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=652





------- Additional Comments From djm at mindrot.org  2003-09-18 18:19 -------
Created an attachment (id=424)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=424&action=view)
Fix empty password auth

Its a bug. Try this attached patch or wait for the next portable release.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=652

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=652

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |cj10 at cam.ac.uk



------- Additional Comments From djm at mindrot.org  2003-09-18 21:32 -------
*** Bug 678 has been marked as a duplicate of this bug. ***



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.