[Bug 559] PAM fixes

Darren J Moffat Darren.Moffat at Sun.COM
Wed May 14 06:43:52 EST 2003

On Tue, 13 May 2003, Damien Miller wrote:

> Darren J Moffat wrote:
> > On Mon, 12 May 2003, Damien Miller wrote:
> >
> >> The PAM stuff is IMO separate - one may disable empty passwords by
> >> omitting the "nullok" flag to pam_unix.so in the PAM control file.
> >
> > That is an argument specific to one vendors implementation of a specific module.
> > There is (and probably should not be) any standardization of the arguments
> > modules take.  Some vendors my choose to standardize options across modules
> > they implement but it is certainly not required.
> Ok, but the point was that control over the behaviour of PAM modules and
> what they accept should be done in the PAM control file and not in
> sshd_config.

In general yes, but for "empty" passwords there is an explicity flag for
pam_authenticate(3pam) PAM_DISALLOW_NULL_AUTHTOK.

Personally I think this is the wrong level of abstraction and if there
is ever a version 2 of PAM I would hope to remove this because it is
individual module policy that should be used here.

Darren J Moffat

More information about the openssh-unix-dev mailing list