[Bug 609] empty password accounts can login with random password

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jul 1 09:39:05 EST 2003


           Summary: empty password accounts can login with random password
           Product: Portable OpenSSH
           Version: 3.6.1p2
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: security
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: advax at triumf.ca

A RedHat 9.0 system (with RedHat's openssh-server-3.5p1-6) is configured with 
"PermitEmptyPasswords no".
An account is created with an empty password (null in /etc/shadow). The intent
is to allow console logins only. This works on A RedHat 8.0 system with 
OpenSSH openssh-server-3.4p1-2.

SSH logins with an empty password are indeed blocked (unless 
"PermitEmptyPasswords yes" is set).

However, any random password will allow login. On RedHat 8, it won't.

I notice that if I list allowed remote users in "AllowUsers" then I can block
the local-only user, which provides a workaround (or may be a better solution
than just blocking empty passwords)

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list