Bug#155267: default login with no password possible
On Fri, Aug 02, 2002 at 02:43:15PM -0500, Dooley, Ryan wrote:
> Package: base install
>
> Version: 3.0 (woody)
>
>
>
> A recent security audit turned up the ability to login on a fresh
> install with the accounts bin, daemon, and games from a telnet session
> with out a password.
>
>
>
> A fix seemed to be making sure that the password in /etc/passwd (or
> /etc/shadow if configured) is set to "!" instead of "*". Another issue
> might have been the existence of "nullok" in /etc/pam.d/login (and other
> files).
>
>
>
> I've not been able to reproduce this on the only other Debian system I
> have access to, however, it is still Debian 2.2.
>
>
>
> I am using Debian GNU/Linux 3.0, kernel 2.4.18-686 and libc-2.2.5
>
>
>
> Ryan
>
By default on a new install, telnet is commented from starting up in
inetd.conf. telnetd itself is not installed by default.
I also was not able to verify your assertion after installing telnetd
and enabling it.
--
*------v--------- Installing Debian GNU/Linux 3.0 --------v------*
| <http://www.debian.org/releases/stable/installmanual> |
| debian-imac: <http://debian-imac.sourceforge.net> |
| Chris Tillman tillman@voicetrak.com |
| To Have, Give All to All (ACIM) |
*----------------------------------------------------------------*
Reply to: