Bug 9299

Summary: add "emptycheck" option to pam_pwdb module
Product: [Retired] Red Hat Raw Hide Reporter: Jonathan Kamens <jik>
Component: pamAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0Keywords: FutureFeature
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-05-22 15:36:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch to add "emptycheck" to pam_pwdb none

Description Jonathan Kamens 2000-02-10 14:09:51 UTC 
Whenever an ssh1 client attempts to connect to an ssh1 server, the server
first attempts to authenticate the client using an empty password, so that
if the user's password is indeed empty, he will be logged in without ever
being prompted for it.

If the user's password is *not* empty, pam_pwdb generates a syslog message
claiming that an authentication failure occurred; in fact, the "failure" is
just a normal check for an empty password.  The problem is that automated
syslog watchers have no good way to distinguish between this harmless
failure and failures indicating real attempts to break into the system.

The attached patch adds a new "emptycheck" optionto the pam_pwdb module.
When that option is specified, a service attempts to authenticate with an
empty password, and the user's password isn't actually empty, the generated
log message is modified to indicate that an empty password was specified,
so that syslog watchers can filter the message out based on services for
which this is permissible.

In other words, instead of this:

Feb 10 08:53:04 jik PAM_pwdb[24207]: authentication failure; (uid=0) -> jik
for ssh service

it says this:

Feb 10 09:07:38 jik PAM_pwdb[25622]: authentication failure (empty password
specified); (uid=0) -> jik for ssh service
Comment 1 Jonathan Kamens 2000-02-10 14:10:59 UTC 
Created attachment 107 [details]
patch to add "emptycheck" to pam_pwdb
Comment 2 Jonathan Kamens 2000-02-10 14:11:59 UTC 
One thing I forgot to mention is that the patch doesn't change the behavior of
PAM at all unless "emptycheck" is added to the appropriate line in the
/etc/pam.d configuration file for the service.  Of course, I can't submit a
patch to the ssh maintainers suggesting that they add that option until it's
actually supported by PAM :-).
Comment 3 Cristian Gafton 2000-05-22 15:36:59 UTC 
assigned to nalin
Comment 4 Brent Fox 2002-06-04 18:57:16 UTC 
Wow this bug is old.  I'm going to close it because most likely has been fixed.
 If it still occurs in 7.3, please reopen it.