[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#155267: default login with no password possible

> A recent security audit turned up the ability to login on a fresh
> install with the accounts bin, daemon, and games from a telnet session
> with out a password.

I just did a fresh woody install (idepci, serial console FWIW) and
installed telnetd.  I cannot reproduce this problem:

Debian GNU/Linux 3.0 meow
meow login: daemon
Login incorrect

> A fix seemed to be making sure that the password in /etc/passwd (or
> /etc/shadow if configured) is set to "!" instead of "*".  Another issue
> might have been the existence of "nullok" in /etc/pam.d/login (and other
> files).

Were you able to login without a pasword after you had set the root
password?  IIRC before setting the root password one can log in as
root without a password.

> I've not been able to reproduce this on the only other Debian system I
> have access to, however, it is still Debian 2.2.
> I am using Debian GNU/Linux 3.0, kernel 2.4.18-686 and libc-2.2.5

If you can provide any more information so that we can reproduce this
problem it would be helpful.



Reply to: