[Bug 609] empty password accounts can login with random password
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Jul 1 09:39:05 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=609
Summary: empty password accounts can login with random password
Product: Portable OpenSSH
Version: 3.6.1p2
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: security
Priority: P2
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: advax at triumf.ca
A RedHat 9.0 system (with RedHat's openssh-server-3.5p1-6) is configured with
"PermitEmptyPasswords no".
An account is created with an empty password (null in /etc/shadow). The intent
is to allow console logins only. This works on A RedHat 8.0 system with
OpenSSH openssh-server-3.4p1-2.
SSH logins with an empty password are indeed blocked (unless
"PermitEmptyPasswords yes" is set).
However, any random password will allow login. On RedHat 8, it won't.
I notice that if I list allowed remote users in "AllowUsers" then I can block
the local-only user, which provides a workaround (or may be a better solution
than just blocking empty passwords)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list