Bug#155267: marked as done (default login with no password possible)

To: Matt Kraai <kraai@ftbfs.org>
Cc: Anthony Towns <debootstrap@packages.debian.org>, Debian Install Team <debian-boot@lists.debian.org>
Subject: Bug#155267: marked as done (default login with no password possible)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 01 Mar 2005 18:18:14 -0800
Message-id: <[🔎] handler.155267.D155267.110972901720071.ackdone@bugs.debian.org>
In-reply-to: <20050301212034.GA4981@localhost.localdomain>
References: <20050301212034.GA4981@localhost.localdomain> <C0B11D0413A966428A8FAAED4B198CA46AC897@col-mailnode03.col.missouri.edu>
Your message dated Tue, 1 Mar 2005 13:20:35 -0800
with message-id <20050301212034.GA4981@localhost.localdomain>
and subject line unreproducible, moreinfo, and no response so closing
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Aug 2002 19:44:09 +0000
>From dooleyr@missouri.edu Fri Aug 02 14:44:09 2002
Return-path: <dooleyr@missouri.edu>
Received: from (col-msxproto2.col.missouri.edu) [128.206.7.132] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 17aiLJ-0007HT-00; Fri, 02 Aug 2002 14:44:09 -0500
Received: from col-mailnode03.col.missouri.edu ([128.206.7.135]) by col-msxproto2.col.missouri.edu with Microsoft SMTPSVC(5.0.2195.4905);
	 Fri, 2 Aug 2002 14:43:15 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C23A5C.D7FF736E"
Subject: default login with no password possible
Date: Fri, 2 Aug 2002 14:43:15 -0500
Message-ID: <C0B11D0413A966428A8FAAED4B198CA46AC897@col-mailnode03.col.missouri.edu>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: default login with no password possible
Thread-Index: AcI6XNgh7dhZiulPShGFYSaWd182Yw==
From: "Dooley, Ryan" <dooleyr@missouri.edu>
To: <submit@bugs.debian.org>
X-OriginalArrivalTime: 02 Aug 2002 19:43:15.0898 (UTC) FILETIME=[D83B91A0:01C23A5C]
Delivered-To: submit@bugs.debian.org

This is a multi-part message in MIME format.

------_=_NextPart_001_01C23A5C.D7FF736E
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Package: base install

Version: 3.0 (woody)

=20

A recent security audit turned up the ability to login on a fresh
install with the accounts bin, daemon, and games from a telnet session
with out a password.

=20

A fix seemed to be making sure that the password in /etc/passwd (or
/etc/shadow if configured) is set to "!" instead of "*".  Another issue
might have been the existence of "nullok" in /etc/pam.d/login (and other
files).

=20

I've not been able to reproduce this on the only other Debian system I
have access to, however, it is still Debian 2.2.

=20

I am using Debian GNU/Linux 3.0, kernel 2.4.18-686 and libc-2.2.5

=20

Ryan


------_=_NextPart_001_01C23A5C.D7FF736E
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">

<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{font-family:Arial;
	color:windowtext;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Package: base install</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Version: 3.0 (woody)</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>A recent security audit turned up the ability to =
login on a
fresh install with the accounts bin, daemon, and games from a telnet =
session
with out a password.</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>A fix seemed to be making sure that the password in
/etc/passwd (or /etc/shadow if configured) is set to &#8220;!&#8221; =
instead of
&#8220;*&#8221;.&nbsp; Another issue might have been the existence of =
&#8220;nullok&#8221;
in /etc/pam.d/login (and other files).</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I&#8217;ve not been able to reproduce this on the =
only other
Debian system I have access to, however, it is still Debian =
2.2.</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I am using Debian GNU/Linux 3.0, kernel 2.4.18-686 =
and
libc-2.2.5</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Ryan</span></font></p>

</div>

</body>

</html>
=00
------_=_NextPart_001_01C23A5C.D7FF736E--

---------------------------------------
Received: (at 155267-done) by bugs.debian.org; 2 Mar 2005 02:03:37 +0000
>From kraai@ftbfs.org Tue Mar 01 18:03:37 2005
Return-path: <kraai@ftbfs.org>
Received: from zoot.lafn.org [206.117.18.6] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D6JD6-0005DY-00; Tue, 01 Mar 2005 18:03:37 -0800
Received: from localhost.localdomain (wbar6-lax1-4-10-192-126.lax1.dsl-verizon.net [4.10.192.126])
	(authenticated bits=0)
	by zoot.lafn.org (8.13.1/8.13.1) with ESMTP id j2223Zd4047761
	(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO)
	for <155267-done@bugs.debian.org>; Tue, 1 Mar 2005 18:03:36 -0800 (PST)
	(envelope-from kraai@localhost.localdomain)
Received: from kraai by localhost.localdomain with local (Exim 4.44)
	id 1D6EnD-0001IU-1e
	for 155267-done@bugs.debian.org; Tue, 01 Mar 2005 13:20:35 -0800
Date: Tue, 1 Mar 2005 13:20:35 -0800
From: Matt Kraai <kraai@ftbfs.org>
To: 155267-done@bugs.debian.org
Subject: unreproducible, moreinfo, and no response so closing
Message-ID: <20050301212034.GA4981@localhost.localdomain>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="2oS5YaxWCcQjTEyO"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
X-Virus-Scanned: ClamAV version 0.82, clamav-milter version 0.82 on zoot.lafn.org
X-Virus-Status: Clean
X-BadReturnPath: kraai@localhost.localdomain rewritten as kraai@ftbfs.org
  using "From" header
Delivered-To: 155267-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-2.6 required=4.0 tests=BAYES_00,DATE_IN_PAST_03_06 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Howdy,

Since no one else was able to reproduce the problem and the submitter
didn't send any more information, I'm closing this bug.

--=20
Matt

--2oS5YaxWCcQjTEyO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCJNyifNdgYxVXvBARAuhsAJ4jLEnXAQldPGOlGr2FI/6OsKh1OwCbBGBP
YP1FY62dHHxDI7OeVV26pqI=
=Vj+o
-----END PGP SIGNATURE-----

--2oS5YaxWCcQjTEyO--
Reply to:
Prev by Date: Processed: reassign 286149 install-doc
Next by Date: Bug#297651: Installation report
Previous by thread: Processed: reassign 286149 install-doc
Next by thread: Bug#297651: Installation report
Index(es):
- Date
- Thread