Folks, I'm writing at the suggestion of Don and Joey. There is a serious, but rare bug in pam, where a user can get into a situation where any password will be accepted to access their system. We're going to display a critical debconf note if we detect this situation. We'd like to point people to a webpage where they can find out more information. I would appreciate help getting this web page written and finding a place for it. I don't feel qualified to write the content; I'm hoping that the www team plus the people cc'd on this message can help us get that together. We would like to do this with some urgency. In the interest of full disclosure,this issue has been known since March, but Steve prepared a fix this week. Still, the faster we can get that fix out to our users, the better it will be . I think that a web page might contain pointers to: * Why it's reasonable to assume that a system on the Internet with no password will be compromised * Information on malicious software and botnets * Information on trying to do security recovery of a Debian system * Information on resources for commercial and free help in recovering Here's a draft of a debconf note I've put together ; Steve has not reviewed, and it may change internally. Template: libpam-runtime/you-had-no-auth Type: note _Description: Your system allows access with no password! When you configured PAM on this system, you elected to disable all PAM profiles. As a result, any password will be accepted to gain access to the system; even incorrect passwords will gain access. Especially if this system can be accessed from the Internet, it is likely that malicious software has been installed and the system compromised. Unless you are familiar with recovering from security failures, viruses, and malicious software you should re-install this system from scratch or obtain the services of a skilled system administrator. For more information see http://www.debian.org/xxx . The PAM packaging has been improved and the automated PAM configuration tool no longer permits this configuration. We apologize that previous versions of the PAM configuration did not detect and prevent this situation.
Description: PGP signature