Bug#248133: Debian bug #248133: sshd: access denied: tty 'ssh' is not secure
retitle 248133 pam_unix: should check nullok only if it gets an empty password
reassign 248133 libpam-modules
thanks
Hello,
pam_unix should check empty passwords *after* the user
typed an empty password. This equals to the behaviour
of non-pam systems: there, empty-passworded users also
have to type an empty password to get in.
This prevents information-leakage and simple empty-
password checks
And this would also prevent the syslog messages about
insecure terminals in case of nullok_secure mentioned
earlier in this bugreport.
Currently, pam_unix checks empty passwords just before
it reads a password from the user:
pam_unix/pam_unix_auth.c:149
/* if this user does not have a password... */
if (_unix_blankpasswd(ctrl, pamh, name)) {
D(("user '%s' has blank passwd", name));
name = NULL;
retval = PAM_SUCCESS;
AUTH_RETURN;
}
/* get this user's authentication token */
retval = _unix_read_password(pamh, ctrl, NULL, "Password: ", NULL
,_UNIX_AUTHTOK, &p);
...
regards,
Mario
--
"Why are we hiding from the police, daddy?" | J. E. Guenther
"Because we use SuSE son, they use SYSVR4." | de.alt.sysadmin.recovery
Reply to: