Any Account Logs In With Any Password

To: debian-security@lists.debian.org
Subject: Any Account Logs In With Any Password
From: Brad Tilley <rtilley@vt.edu>
Date: Mon, 25 Oct 2010 17:16:51 -0400
Message-id: <[🔎] 4CC5F3C3.5020502@vt.edu>

While experimenting with PCI DSS on a default Debian Linux system, I
found that when I comment out this line:

auth    required        pam_unix.so nullok_secure

in /etc/pam.d/common-auth, any account may ssh into the box by typing
anything as the password. Is this the desired behavior? I would think
that it would fail by default.

Reply to:

Follow-Ups:
- Re: Any Account Logs In With Any Password
  - From: Noah Meyerhans <noahm@debian.org>
- Re: Any Account Logs In With Any Password
  - From: Michael Loftis <mloftis@wgops.com>

Prev by Date: Re: [SECURITY] [DSA 2122-1] New glibc packages fix local privilege escalation
Next by Date: Re: Any Account Logs In With Any Password
Previous by thread: Re: [SECURITY] [DSA 2122-1] New glibc packages fix local privilege escalation
Next by thread: Re: Any Account Logs In With Any Password
Index(es):
- Date
- Thread