Bug#248133: Debian bug #248133: sshd: access denied: tty 'ssh' is not secure

["Mario 'BitKoenig' Holbe" <Mario.Holbe@RZ.TU-Ilmenau.DE>]

retitle 248133 pam_unix: should check nullok only if it gets an empty password
reassign 248133 libpam-modules
thanks

Hello,

pam_unix should check empty passwords *after* the user
typed an empty password. This equals to the behaviour
of non-pam systems: there, empty-passworded users also
have to type an empty password to get in.
This prevents information-leakage and simple empty-
password checks
And this would also prevent the syslog messages about
insecure terminals in case of nullok_secure mentioned
earlier in this bugreport.

Currently, pam_unix checks empty passwords just before
it reads a password from the user:
pam_unix/pam_unix_auth.c:149
	/* if this user does not have a password... */

	if (_unix_blankpasswd(ctrl, pamh, name)) {
		D(("user '%s' has blank passwd", name));
		name = NULL;
		retval = PAM_SUCCESS;
		AUTH_RETURN;
	}
	/* get this user's authentication token */

	retval = _unix_read_password(pamh, ctrl, NULL, "Password: ", NULL
				     ,_UNIX_AUTHTOK, &p);
...


regards,
   Mario
-- 
"Why are we hiding from the police, daddy?"      | J. E. Guenther
"Because we use SuSE son, they use SYSVR4."      | de.alt.sysadmin.recovery