Whenever an ssh1 client attempts to connect to an ssh1 server, the server first attempts to authenticate the client using an empty password, so that if the user's password is indeed empty, he will be logged in without ever being prompted for it. If the user's password is *not* empty, pam_pwdb generates a syslog message claiming that an authentication failure occurred; in fact, the "failure" is just a normal check for an empty password. The problem is that automated syslog watchers have no good way to distinguish between this harmless failure and failures indicating real attempts to break into the system. The attached patch adds a new "emptycheck" optionto the pam_pwdb module. When that option is specified, a service attempts to authenticate with an empty password, and the user's password isn't actually empty, the generated log message is modified to indicate that an empty password was specified, so that syslog watchers can filter the message out based on services for which this is permissible. In other words, instead of this: Feb 10 08:53:04 jik PAM_pwdb[24207]: authentication failure; (uid=0) -> jik for ssh service it says this: Feb 10 09:07:38 jik PAM_pwdb[25622]: authentication failure (empty password specified); (uid=0) -> jik for ssh service
Created attachment 107 [details] patch to add "emptycheck" to pam_pwdb
One thing I forgot to mention is that the patch doesn't change the behavior of PAM at all unless "emptycheck" is added to the appropriate line in the /etc/pam.d configuration file for the service. Of course, I can't submit a patch to the ssh maintainers suggesting that they add that option until it's actually supported by PAM :-).
assigned to nalin
Wow this bug is old. I'm going to close it because most likely has been fixed. If it still occurs in 7.3, please reopen it.