similar to: [Bug 235] New: While PermitEmptyPasswords no, user can connect, entering ANY other password

http://bugzilla.mindrot.org/show_bug.cgi?id=235 ------- Additional Comments From mouring at eviladmin.org 2002-05-06 06:09 ------- Created an attachment (id=92) Try the following patch to auth-passwd.c ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=235 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:17

https://bugzilla.mindrot.org/show_bug.cgi?id=2475 Bug ID: 2475 Summary: Login failure when PasswordAuthentication, ChallengeResponseAuthentication, and PermitEmptyPasswords are all enabled Product: Portable OpenSSH Version: 7.1p1 Hardware: ix86 OS: Linux Status: NEW

Greetings, Problem : Openssh3.6.1p2 on UnixWare 7.1.1 allows access to passwordless account without a valid key when sshd_config has PasswordAuthentication no + PermitEmptyPasswords yes Attempts: Installed maintence pack3 and recompiled both OpenSSH and OpenSSL (0.9.7b) with native c compiler. Recompiled both OpenSSH and OpenSSL (0.9.7b) with gcc (2.95.2). Still the same problem. Looking at

Greetings, I recently discovered a problem with OpenSSH 3.6.1p2 and UnixWare 7.1.1 (as well as OpenServer 5.0.X and SCO 3.2v4.2) When I set up sshd_config as follows: PasswordAuthentication no PermitEmptyPasswords yes and try to connect to a password less account ( I know its a F*up, but that's the application ID10Ts .... ) I can get in using the SSH2 version without a valid key, the

http://bugzilla.mindrot.org/show_bug.cgi?id=289 Summary: mmap error when trying to use 3.3p1 with privsep Product: Portable OpenSSH Version: 3.1p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org

Greetings, complete debug below > -----Original Message----- > From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] > Sent: 10 July 2003 03:32 > To: Vikash Badal - PCS > Cc: 'openssh-unix-dev at mindrot.org' > Subject: Re: OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + > PasswordAuthentication no + PermitEmptyPasswords yes (followup) > > > > Would be

http://bugzilla.mindrot.org/show_bug.cgi?id=159 Summary: Password-Authentication with openssh-3.1p1 fails Product: Portable OpenSSH Version: 3.1p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org

http://bugzilla.mindrot.org/show_bug.cgi?id=609 Summary: empty password accounts can login with random password Product: Portable OpenSSH Version: 3.6.1p2 Platform: ix86 OS/Version: Linux Status: NEW Severity: security Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org

http://bugzilla.mindrot.org/show_bug.cgi?id=609 Summary: empty password accounts can login with random password Product: Portable OpenSSH Version: 3.6.1p2 Platform: ix86 OS/Version: Linux Status: NEW Severity: security Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org

Greetings, When PasswordAuthentication no + PermitEmptyPasswords yes SSH2 allows access to a passwordless account without a valid key. This is my patch: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ wormhole# diff -u auth2-none.c.old auth2-none.c --- auth2-none.c.old Thu Jul 17 06:23:24 2003 +++ auth2-none.c Thu Jul 17 06:44:42 2003 @@ -100,7 +100,9 @@ if (check_nt_auth(1,

http://bugzilla.mindrot.org/show_bug.cgi?id=755 Summary: PermitEmptyPasswords ignored Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: critical Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy:

http://bugzilla.mindrot.org/show_bug.cgi?id=342 Summary: RhostsRSAAuthentication does not work with 3.4p1 Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org

If I have PasswordAuthentication yes PermitEmptyPasswords no I'm not able to log in using authorized key authentication if my password is blank. This changed when upgrading from portable 3.7.1p1 to 3.7.1p2. My thoughts were PermitEmptyPasswords would only be used if authenticating with a password. ./configure --with-pam --prefix=/usr --sysconfdir=/etc/ssh

Greetings, > -----Original Message----- > From: Vikash Badal - PCS > Sent: 10 July 2003 07:36 > To: 'Tim Rice' > Subject: RE: OpenSSH 3.6.1p2 +UnixWare 7.1.1 +SSH2 + > PasswordAuthentication no + PermitEmptyPasswords yes > > > Greetings, > > Using gcc (2.95.2) + maintenance pack 2 > > Will try maintenance pack 3 and recompile > > Thanks.

http://bugzilla.mindrot.org/show_bug.cgi?id=652 Summary: PermitEmptyPasswords option silently ignored Product: Portable OpenSSH Version: 3.7.1p1 Platform: All OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy:

For every (successful) ssh-connection we got an additional annoying entry in /var/log/messages like the following: Jun 19 09:06:57 LIN3135 pam_afs[5913]: AFS Won't use illegal password for user usenbinz The OpenAFS PAM module posts this message when it is called for authentication with an (disallowed) empty password. The simple patch below checks PermitEmptyPasswords in sshd_config before

Hi, after installing 3.6.1p2 I noticed spurious PAM login failures even with PermitEmptyPasswords set to "no": sshd(pam_unix)[1740]: authentication failure; logname=XXX uid=0 euid=0 tty=NODEVssh ruser= rhost=localhost user=XXX After looking at the code I noticed the following in the portability p2 patch: +++ openssh-3.6.1p2/auth-passwd.c 2003-04-29 19:12:08.000000000 +1000

Vesion 3.8.1 of OpenSSH has been compiled on a Solaris 8 host. I am having difficulties in enabling password aging to work from reading /etc/default/passwd and /etc/shadow. # passwd -f < user-id > works satisfactorily however once a password ages through due course from the settings in /etc/default/passwd and /etc/shadow the users are not prompted to change passwords and the user is logged

Wonder if you guys could help me out...have a security problem with sshd wich enables a user to do a password login tough the sshd_config states PasswordAuthentication no My config works fine in both gentoo and openbsd 3.3 but users are able to login with tunneled clear text passwords in both 4.9 and 5.1 Im lost.tried everything I can think of. Here is the config: