Re: Any Account Logs In With Any Password

To: debian-security@lists.debian.org
Subject: Re: Any Account Logs In With Any Password
From: Noah Meyerhans <noahm@debian.org>
Date: Mon, 25 Oct 2010 19:52:57 -0400
Message-id: <[🔎] 20101025235257.GI6942@morgul.net>
Mail-followup-to: Noah Meyerhans <noahm@debian.org>, debian-security@lists.debian.org
In-reply-to: <[🔎] 4CC5F3C3.5020502@vt.edu>
References: <[🔎] 4CC5F3C3.5020502@vt.edu>

On Mon, Oct 25, 2010 at 05:16:51PM -0400, Brad Tilley wrote:
> While experimenting with PCI DSS on a default Debian Linux system, I
> found that when I comment out this line:
> 
> auth    required        pam_unix.so nullok_secure
> 
> in /etc/pam.d/common-auth, any account may ssh into the box by typing
> anything as the password. Is this the desired behavior? I would think
> that it would fail by default.

If no authentication modules are 'required', then no authentication is
required.  Makes sense to me.

noah

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Any Account Logs In With Any Password
  - From: Brad Tilley <rtilley@vt.edu>

Prev by Date: Any Account Logs In With Any Password
Next by Date: Re: Any Account Logs In With Any Password
Previous by thread: Any Account Logs In With Any Password
Next by thread: Re: Any Account Logs In With Any Password
Index(es):
- Date
- Thread