Bug#155267: default login with no password possible
> A recent security audit turned up the ability to login on a fresh
> install with the accounts bin, daemon, and games from a telnet session
> with out a password.
I just did a fresh woody install (idepci, serial console FWIW) and
installed telnetd. I cannot reproduce this problem:
Debian GNU/Linux 3.0 meow
meow login: daemon
> A fix seemed to be making sure that the password in /etc/passwd (or
> /etc/shadow if configured) is set to "!" instead of "*". Another issue
> might have been the existence of "nullok" in /etc/pam.d/login (and other
Were you able to login without a pasword after you had set the root
password? IIRC before setting the root password one can log in as
root without a password.
> I've not been able to reproduce this on the only other Debian system I
> have access to, however, it is still Debian 2.2.
> I am using Debian GNU/Linux 3.0, kernel 2.4.18-686 and libc-2.2.5
If you can provide any more information so that we can reproduce this
problem it would be helpful.