Re: Any Account Logs In With Any Password

[Jordon Bedwell <jordon@envygeeks.com>]

On 10/27/2010 04:05 PM, Henrique de Moraes Holschuh wrote:
> On Mon, 25 Oct 2010, Michael Loftis wrote:
>> checks prior to this indicate a soft success.  If you remove
>> authentication from your system, its expected that any attempt to
>> access will pass, barring and specific denial.
> 
> If I remove authentication from my system, I expect it to tell me to get
> lost, as that is the _only_ safe failure scenario.  Recovery is supposed to
> be done through single-user mode and sulogin in that case (if you don't have
> a root window already open somewhere, that is).
> 
> This fail-unsafe behaviour looks like it is a "feature" of the default
> config being shipped in /etc/pam.d/common-*.  I wonder what is the
> justification behind that decision...

Wait, let me get this right.  You have a *server running*, you then
*remove authentication* on said server and then you *expect* the system
to tell everybody to go away?  So if that is the case, why would you be
running the server in the first place?  An ironic situation...  I like
the idea of blaming the system for an administrators lack of competency
when it comes to systems security.