[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#155267: default login with no password possible

Package: base install

Version: 3.0 (woody)


A recent security audit turned up the ability to login on a fresh install with the accounts bin, daemon, and games from a telnet session with out a password.


A fix seemed to be making sure that the password in /etc/passwd (or /etc/shadow if configured) is set to “!” instead of “*”.  Another issue might have been the existence of “nullok” in /etc/pam.d/login (and other files).


I’ve not been able to reproduce this on the only other Debian system I have access to, however, it is still Debian 2.2.


I am using Debian GNU/Linux 3.0, kernel 2.4.18-686 and libc-2.2.5



Reply to: