Package: base install Version: 3.0 (woody)
A recent security audit turned up the ability to login on a fresh install with the accounts bin, daemon, and games from a telnet session with out a password.
A fix seemed to be making sure that the password in /etc/passwd (or /etc/shadow if configured) is set to “!” instead of “*”. Another issue might have been the existence of “nullok” in /etc/pam.d/login (and other files).
I’ve not been able to reproduce this on the only other Debian system I have access to, however, it is still Debian 2.2.
I am using Debian GNU/Linux 3.0, kernel 2.4.18-686 and libc-2.2.5
Ryan |