[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Any Account Logs In With Any Password

Depends on your full stack, but yes, this is the PAM behavior as checks prior to this indicate a soft success. If you remove authentication from your system, its expected that any attempt to access will pass, barring and specific denial.

--On Monday, October 25, 2010 17:16 -0400 Brad Tilley <rtilley@vt.edu> wrote:

While experimenting with PCI DSS on a default Debian Linux system, I
found that when I comment out this line:

auth    required        pam_unix.so nullok_secure

in /etc/pam.d/common-auth, any account may ssh into the box by typing
anything as the password. Is this the desired behavior? I would think
that it would fail by default.

To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org Archive:
[🔎] 4CC5F3C3.5020502@vt.edu">http://lists.debian.org/[🔎] 4CC5F3C3.5020502@vt.edu

Reply to: