[Bug 559] PAM fixes
Damien Miller
djm at mindrot.org
Mon May 12 22:41:31 EST 2003
Frank Cusack wrote:
> On Mon, May 12, 2003 at 05:47:16PM +1000, bugzilla-daemon at mindrot.org wrote:
>> http://bugzilla.mindrot.org/show_bug.cgi?id=559
>> ------- Additional Comments From djm at mindrot.org 2003-05-12 17:47 -------
>>
>> > - retval = (do_pam_authenticate(0) == PAM_SUCCESS);
>> > + retval = (do_pam_authenticate(options.permit_empty_passwd == 0
>> > + ? PAM_DISALLOW_NULL_AUTHTOK
>> > + : 0) == PAM_SUCCESS);
>>
>> Is this still necessary with the CVS -current PAM code?
>
> Yes, something like it is required, auth-pam.c:213 and 216.
>
> It looks like if I do kbdint, and have a null password, I will be
> authenticated regardless of the setting of permit_empty_password.
>
> This is just from inspection, not actual testing, but it looks clear.
> The only place options.permit_empty_password is checked is in
> auth-passwd.c, which isn't in the code path for kbdint.
I am not sure whether this is a problem: PermitEmptyPasswords has, so
far, been only for PasswordAuthentication.
The PAM stuff is IMO separate - one may disable empty passwords by
omitting the "nullok" flag to pam_unix.so in the PAM control file.
The relnotes and manpage would need to make this clear, of course.
-d
More information about the openssh-unix-dev
mailing list