Re: Any Account Logs In With Any Password
On 10/27/2010 04:05 PM, Henrique de Moraes Holschuh wrote:
> On Mon, 25 Oct 2010, Michael Loftis wrote:
>> checks prior to this indicate a soft success. If you remove
>> authentication from your system, its expected that any attempt to
>> access will pass, barring and specific denial.
> If I remove authentication from my system, I expect it to tell me to get
> lost, as that is the _only_ safe failure scenario. Recovery is supposed to
> be done through single-user mode and sulogin in that case (if you don't have
> a root window already open somewhere, that is).
> This fail-unsafe behaviour looks like it is a "feature" of the default
> config being shipped in /etc/pam.d/common-*. I wonder what is the
> justification behind that decision...
Wait, let me get this right. You have a *server running*, you then
*remove authentication* on said server and then you *expect* the system
to tell everybody to go away? So if that is the case, why would you be
running the server in the first place? An ironic situation... I like
the idea of blaming the system for an administrators lack of competency
when it comes to systems security.