Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 132893 - pam appears not to work as documented anymore
pam appears not to work as documented anymore
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Depends On:
  Show dependency treegraph
Reported: 2004-09-18 17:37 EDT by Michal Jaegermann
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-09-20 05:05:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michal Jaegermann 2004-09-18 17:37:22 EDT
Description of problem:

Pam documentation states in section 6.19.4 "Authentication component"

        The default action of this module is to not permit the user
        access to a service if their official password is blank. The
        nullok argument overrides this default.

It is not entirely clear to which component this section refers
but apparently to "auth".  In any case in /etc/pam.d/system-auth
'nullok' does show up on lines with
"auth        sufficient" and "password    sufficient".
Still any attempt to ssh to an account with a null password
is suddenly rejected with something like:
"... sshd(pam_unix)[5643]: authentication failure; ..."
in /var/log/messages.

An attempt to change "a paranoid setting" for 'other' to something
else does not help nor adding 'nullok' in various places
in /etc/pam.d/sshd.  In any case 'service=system-auth' is supposedly
taking care of that, right?  It is hard to figure out what really
may happened especially that adding 'debug' parameters does
not seem to have any discernible effect.

I do appreciate secure defaults but trying to save me from myself
is way too much.  I have my reasons to want what I want.

Version-Release number of selected component (if applicable):
Comment 1 Tomas Mraz 2004-09-20 05:05:27 EDT
If you looked at the documentation closely you would note that section
6.19 is about module pam_pwdb. This module isn't used in the current
Fedora Core distros.

However the pam_unix module has the same option nullok which enables
empty passwords. And this option is included in the system-auth file
and works well.

SSH doesn't accept empty password, because by default it has not
enabled PermitEmptyPasswords option in /etc/ssh/sshd_config.
Comment 2 Michal Jaegermann 2004-09-20 11:20:18 EDT
A confusion arised because a time of the last sshd change was
2004/Sep/04 and giving whatever for a password on an account with
no password did work until pam was updated on 2004/Sep/18.  So
some behaviour of pam definitely did change.  Maybe for better;
but this was not sshd responsible here (as shown in quoted
fragments of "authentication failure" messages from pam_unix).

As far as I can tell 'pam_unix' does have 'nullok' present via
/etc/pam.d/system-auth which was always at default.
Comment 3 Tomas Mraz 2004-09-20 11:49:57 EDT
Ah, yes of course, because the old behaviour of ignoring the
PermitEmptyPasswords option was actually a bug in pam which was fixed
in the 0.77-56 release.

See bug 127054

Note You need to log in before you can comment on or make changes to this bug.