Mailing List Archive

[Bug 609] empty password accounts can login with random password
http://bugzilla.mindrot.org/show_bug.cgi?id=609

Summary: empty password accounts can login with random password
Product: Portable OpenSSH
Version: 3.6.1p2
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: security
Priority: P2
Component: sshd
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: advax@triumf.ca


A RedHat 9.0 system (with RedHat's openssh-server-3.5p1-6) is configured with
"PermitEmptyPasswords no".
An account is created with an empty password (null in /etc/shadow). The intent
is to allow console logins only. This works on A RedHat 8.0 system with
OpenSSH openssh-server-3.4p1-2.

SSH logins with an empty password are indeed blocked (unless
"PermitEmptyPasswords yes" is set).

However, any random password will allow login. On RedHat 8, it won't.

I notice that if I list allowed remote users in "AllowUsers" then I can block
the local-only user, which provides a workaround (or may be a better solution
than just blocking empty passwords)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 609] empty password accounts can login with random password [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=609





------- Additional Comments From dtucker@zip.com.au 2003-07-01 09:55 -------
Can you reproduce this with vanilla openssh-3.6.1p2 (eg from ftp.ca.openbsd.org
) configured --with-pam?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 609] empty password accounts can login with random password [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=609





------- Additional Comments From matthewg@zevils.com 2003-07-01 10:37 -------
I think that bug #611 might be the cause of this.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 609] empty password accounts can login with random password [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=609

matthewg@zevils.com changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |matthewg@zevils.com





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 609] empty password accounts can login with random password [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=609

djm@mindrot.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID



------- Additional Comments From djm@mindrot.org 2003-07-01 11:00 -------
RTFM, or get your distributor to:

http://www.openssh.com/faq.html#3.2



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 609] empty password accounts can login with random password [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=609





------- Additional Comments From dtucker@zip.com.au 2003-07-01 11:03 -------
As a workaround, you could give your no-password user a shell that's not listed
in /etc/shells. This will cause sshd to deny the connection attempt very early
in the authentication process.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 609] empty password accounts can login with random password [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=609





------- Additional Comments From djm@mindrot.org 2003-07-01 11:10 -------
There is no need for an additional workaround - one must remove the "nullok"
flag in the PAM conf.

Really, the bug is in PAM itself.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 609] empty password accounts can login with random password [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=609





------- Additional Comments From advax@triumf.ca 2003-07-01 14:23 -------
OK, after messing around trying 3.6.1p2 I realize I had a "DenyUsers" line
in sshd_config on the RedHat 8 system which I had forgotten about.
The RedHat sshd.pam does not have nullok but it is chained to system-auth
which does. I guess unchaining it might work but I don't want to depart
too much from the stock distro especially in things I don't really understand
(like PAM)

So the issue is that PermitEmptyPasswords is ignored if PAM is used.
If PAM is really broken like this then maybe a note in the sshd_config manpage
is in order.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.