Re: Any Account Logs In With Any Password
Henrique de Moraes Holschuh wrote:
> On Mon, 25 Oct 2010, Michael Loftis wrote:
>> checks prior to this indicate a soft success. If you remove
>> authentication from your system, its expected that any attempt to
>> access will pass, barring and specific denial.
> If I remove authentication from my system, I expect it to tell me to get
> lost, as that is the _only_ safe failure scenario. Recovery is supposed to
> be done through single-user mode and sulogin in that case (if you don't have
> a root window already open somewhere, that is).
I felt the same way. I understand that I removed authentication by
accidentally commenting out that line, but I thought that would cause
authentication to fail. Obviously, authentication is not succeeding,
it's just that authentication is not happening at all and you can type
anything and get a shell on the remote system (provided you know a user
name). In short, that behavior surprised me.
I expected an authentication failure, but got a shell instead.
> This fail-unsafe behaviour looks like it is a "feature" of the default
> config being shipped in /etc/pam.d/common-*. I wonder what is the
> justification behind that decision...