[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Any Account Logs In With Any Password

Henrique de Moraes Holschuh wrote:
> On Mon, 25 Oct 2010, Michael Loftis wrote:
>> checks prior to this indicate a soft success.  If you remove
>> authentication from your system, its expected that any attempt to
>> access will pass, barring and specific denial.
> If I remove authentication from my system, I expect it to tell me to get
> lost, as that is the _only_ safe failure scenario.  Recovery is supposed to
> be done through single-user mode and sulogin in that case (if you don't have
> a root window already open somewhere, that is).

I felt the same way. I understand that I removed authentication by
accidentally commenting out that line, but I thought that would cause
authentication to fail. Obviously, authentication is not succeeding,
it's just that authentication is not happening at all and you can type
anything and get a shell on the remote system (provided you know a user
name). In short, that behavior surprised me.

I expected an authentication failure, but got a shell instead.


> This fail-unsafe behaviour looks like it is a "feature" of the default
> config being shipped in /etc/pam.d/common-*.  I wonder what is the
> justification behind that decision...

Reply to: