Bug 1952104
Summary: | proftpd might allow logins to accounts without password due to PAM configuration | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Max Grobecker <m.grobecker> |
Component: | proftpd | Assignee: | Paul Howarth <paul> |
Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | epel7 | CC: | ingvar, matthias, m.grobecker, mkaplan, paul |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | Bug | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Max Grobecker
2021-04-21 14:03:40 UTC
It seems to me that this is at least close to the intended behaviour. The "passwd -d" deletes the password to facilitate passwordless login for that user. So why shouldn't the FTP server honour that and allow login with any password? I see, passwd -d seems not to be the best choice if you want to remove passwords. Unfortunately, unlike i.e. sshd or vsftpd, proftpd has no option to disallow logins with empty passwords by itself. Proftpd has an option "AllowEmptyPasswords", which can be set to disallow empty password, but this option does not exist in version 1.3.5e shipped in epel7 since it was introduced with version 1.3.6. IMHO it might be a sensitive option to prevent passwordless logins through PAM for proftpd by default. OK, I propose to adopt the proposed PAM change for EPEL-7 only, since the Fedora and EPEL-8 versions can use the "AllowEmptyPasswords" option to prevent use of empty passwords. Does that sound reasonable? |