openssh bugs - Nov 2003 - [Bug 755] PermitEmptyPasswords ignored

http://bugzilla.mindrot.org/show_bug.cgi?id=755

           Summary: PermitEmptyPasswords ignored
           Product: Portable OpenSSH
           Version: -current
          Platform: UltraSparc
        OS/Version: Solaris
            Status: NEW
          Severity: critical
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: Frank.Beckmann at vodafone.com


Hi

there ist a big Problem, user with empty Passwords can Login.
The User has no Password in the shadow file ...

He makes a connect with Putty, write his name in the prompt and Press enter
login as: wparling
Last login: Thu Nov  6 09:44:31 2003 from 10.128.77.18

Verarbeite Gruppe(n) UNIXADM
Lade Modul(e) basis rootstuff legato perl5.6.1 sybase-oc12 visualws6.2 tclx
wparling at systemxx:/home/wparling $

We dont use agents, or other things...

The Source is patched with Darrens password expired patch.

Frank

ssh -V
OpenSSH_3.7.1p2-pwexp24, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=755





------- Additional Comments From Frank.Beckmann at vodafone.com  2003-11-06
01:48 -------
Created an attachment (id=492)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=492&action=view)
ssh_config




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=755





------- Additional Comments From Frank.Beckmann at vodafone.com  2003-11-06
01:49 -------
Created an attachment (id=493)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=493&action=view)
sshd_config




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=755





------- Additional Comments From djm at mindrot.org  2003-11-06 02:05 -------
I can't replicate this unless I use PAM and the nullok option in my
/etc/pam.d/sshd file.

Are you using PAM?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=755





------- Additional Comments From Frank.Beckmann at vodafone.com  2003-11-06
02:13 -------
Hallo we Use PAM

Nov  6 09:44:57 zvadm6 sshd[17967]: Accepted keyboard-interactive/pam for 
wparling from 10.128.78.228 port 1419 ssh2

under solaris there is only an pam.conf, for ssh we dont make any entry.

The ssh works correct when we put something as pass in the /etc/shadow

Frank




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=755

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX



------- Additional Comments From djm at mindrot.org  2003-11-06 02:26 -------
This is intended behaviour.

When you have "UsePAM yes" all of the password-related code is
bypassed entirely
- all of the checks are purely up to the PAM modules. Either turn off PAM
authentication or look to your PAM config.

I'll mention that UsePAM can bypass PermitEmptyPasswords in the sshd_config
file.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.