Re: Any Account Logs In With Any Password

To: debian-security@lists.debian.org
Subject: Re: Any Account Logs In With Any Password
From: Michael Loftis <mloftis@wgops.com>
Date: Mon, 25 Oct 2010 21:59:55 -0600
Message-id: <85DB4032FBDB47DBEC79C87E@[192.168.1.66]>
In-reply-to: <[🔎] 4CC5F3C3.5020502@vt.edu>
References: <[🔎] 4CC5F3C3.5020502@vt.edu>

Depends on your full stack, but yes, this is the PAM behavior as checksprior to this indicate a soft success. If you remove authentication fromyour system, its expected that any attempt to access will pass, barring andspecific denial.

--On Monday, October 25, 2010 17:16 -0400 Brad Tilley <rtilley@vt.edu>wrote:

While experimenting with PCI DSS on a default Debian Linux system, I
found that when I comment out this line:

auth    required        pam_unix.so nullok_secure

in /etc/pam.d/common-auth, any account may ssh into the box by typing
anything as the password. Is this the desired behavior? I would think
that it would fail by default.



--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org Archive:
[🔎] 4CC5F3C3.5020502@vt.edu">http://lists.debian.org/[🔎] 4CC5F3C3.5020502@vt.edu

Reply to:

Follow-Ups:
- Re: Any Account Logs In With Any Password
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Any Account Logs In With Any Password
  - From: Brad Tilley <rtilley@vt.edu>

Prev by Date: Re: Any Account Logs In With Any Password
Next by Date: Re: Any Account Logs In With Any Password
Previous by thread: Re: Any Account Logs In With Any Password
Next by thread: Re: Any Account Logs In With Any Password
Index(es):
- Date
- Thread