Empty password patch

USENBINZ at de.ibm.com USENBINZ at de.ibm.com
Tue Jun 19 17:59:11 EST 2001

For every (successful) ssh-connection we got an additional annoying entry
in /var/log/messages like the following:

Jun 19 09:06:57 LIN3135 pam_afs[5913]: AFS Won't use illegal password for
user usenbinz

The OpenAFS PAM module posts this message when it is called for
authentication with an (disallowed) empty password. The simple patch below
checks PermitEmptyPasswords in sshd_config before trying to authenticate
with an empty password. This ssh option was previously ignored when PAM
accepted empty passwords, but I think it is ok when a ssh option overrules
PAM for a ssh connection... Setting PermitEmptyPasswords to yes will
result in the old behaviour.
Note that while the patch below is for the CVS version I have only tested
the behaviour based on an old openssh 1.2.2 tarball from a Suse 6.4
distribution. I haven't yet figured out why, but the stuff from CVS in
openbsd-compat fails to compile miserably on my systems...

RCS file: /cvs/openssh_cvs/auth1.c,v
retrieving revision 1.41
diff -u -r1.41 auth1.c
--- auth1.c     2001/06/05 18:56:17     1.41
+++ auth1.c     2001/06/19 06:41:35
@@ -83,7 +83,7 @@
             authctxt->valid ? "" : "illegal user ", authctxt->user);

        /* If the user has no password, accept authentication immediately.
-       if (options.password_authentication &&
+       if (options.password_authentication && options.permit_empty_passwd
 #ifdef KRB4
            (!options.kerberos_authentication ||
options.kerberos_or_local_passwd) &&

More information about the openssh-unix-dev mailing list