Bug 21268

Summary: PermitEmptyPasswords=yes terminates SSH sessions
Product: [Retired] Red Hat Linux Reporter: Derek Poon <dpoon>
Component: opensshAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: dr, pekkas
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-11-29 20:23:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Derek Poon 2000-11-22 21:54:19 UTC 
This bug was introduced when updating from openssh-server-2.1.1p4-1 to
openssh-server-2.3.0p1-4.i386.rpm.  With 2.3.0p1, if /etc/ssh/sshd_config
has "PermitEmptyPasswords yes", then a client logging in using a DSA key
immediately has its  session terminated.  This did not happen with 2.1.1p4

Here's the output from "ssh -v localhost" with 2.3.0p1:

$ ssh -v localhost
SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /home/dpoon/.ssh/config
debug: Reading configuration data /etc/ssh/ssh_config
debug: Applying options for *
debug: Seeding random number generator
debug: ssh_connect: getuid 500 geteuid 0 anon 0
debug: Connecting to localhost [127.0.0.1] port 22.
debug: Allocated local port 1022.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version
OpenSSH_2.3.0p1
debug: no match: OpenSSH_2.3.0p1
Enabling compatibility mode for protocol 2.0
debug: Local version string SSH-2.0-OpenSSH_2.3.0p1
debug: Seeding random number generator
debug: send KEXINIT
debug: done
debug: wait KEXINIT
debug: got kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug: got kexinit: ssh-dss
debug: got kexinit:
3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc.se
debug: got kexinit:
3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc.se
debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160
debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160
debug: got kexinit: none,zlib
debug: got kexinit: none,zlib
debug: got kexinit: 
debug: got kexinit: 
debug: first kex follow: 0 
debug: reserved: 0 
debug: done
debug: kex: server->client 3des-cbc hmac-sha1 zlib
debug: kex: client->server 3des-cbc hmac-sha1 zlib
debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST.
debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP.
debug: Got SSH2_MSG_KEX_DH_GEX_GROUP.
debug: bits set: 1027/2049
debug: Sending SSH2_MSG_KEX_DH_GEX_INIT.
debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY.
debug: Got SSH2_MSG_KEXDH_REPLY.
debug: Forcing accepting of host key for loopback/localhost.
debug: bits set: 1041/2049
debug: len 55 datafellows 0
debug: dsa_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: Enabling compression at level 6.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue:
publickey,keyboard-interactive,password
debug: next auth method to try is publickey
debug: trying DSA agent key /home/dpoon/.ssh/id_dsa
debug: ssh-userauth2 successfull: method publickey
debug: channel 0: new [client-session]
debug: send channel open 0
debug: Entering interactive session.
debug: client_init id 0 arg 0
debug: Requesting X11 forwarding with authentication spoofing.
debug: channel request 0: shell
debug: channel 0: open confirm rwindow 0 rmax 16384
Connection to localhost closed by remote host.
Connection to localhost closed.
debug: Transferred: stdin 0, stdout 0, stderr 81 bytes in 0.1 seconds
debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 1177.6
debug: Exit status -1
debug: compress outgoing: raw data 767, compressed 697, factor 0.91
debug: compress incoming: raw data 80, compressed 77, factor 0.96
Comment 1 Pekka Savola 2000-11-23 22:11:06 UTC 
Works for me (the server isn't RHL7 though).

I'd debug sshd too. 

Does replacing /etc/pam.d/sshd with the earlier version
help? (now, pam_stack + system-auth is used)

E.g.:
---
#%PAM-1.0
auth       required     /lib/security/pam_pwdb.so shadow nodelay
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
session    required     /lib/security/pam_pwdb.so
session    required     /lib/security/pam_limits.so
---
Comment 2 Nalin Dahyabhai 2000-11-28 23:50:28 UTC 
I can duplicate this with both 2.1.1p4 and 2.3.0p1, which is not good.  I'll
need to investigate further.
Comment 3 Nalin Dahyabhai 2000-11-29 20:23:09 UTC 
I think the 2.3.0p1-6 packages in http://people.redhat.com/nalin/test/ will fix
this.  If you can, please test them and let me know if they do.
Comment 4 Nalin Dahyabhai 2001-01-23 03:37:21 UTC 
Verified as fixed in Raw Hide.