Red Hat Bugzilla – Bug 132893
pam appears not to work as documented anymore
Last modified: 2007-11-30 17:10:49 EST
Description of problem:
Pam documentation states in section 6.19.4 "Authentication component"
The default action of this module is to not permit the user
access to a service if their official password is blank. The
nullok argument overrides this default.
It is not entirely clear to which component this section refers
but apparently to "auth". In any case in /etc/pam.d/system-auth
'nullok' does show up on lines with
"auth sufficient" and "password sufficient".
Still any attempt to ssh to an account with a null password
is suddenly rejected with something like:
"... sshd(pam_unix): authentication failure; ..."
An attempt to change "a paranoid setting" for 'other' to something
else does not help nor adding 'nullok' in various places
in /etc/pam.d/sshd. In any case 'service=system-auth' is supposedly
taking care of that, right? It is hard to figure out what really
may happened especially that adding 'debug' parameters does
not seem to have any discernible effect.
I do appreciate secure defaults but trying to save me from myself
is way too much. I have my reasons to want what I want.
Version-Release number of selected component (if applicable):
If you looked at the documentation closely you would note that section
6.19 is about module pam_pwdb. This module isn't used in the current
Fedora Core distros.
However the pam_unix module has the same option nullok which enables
empty passwords. And this option is included in the system-auth file
and works well.
SSH doesn't accept empty password, because by default it has not
enabled PermitEmptyPasswords option in /etc/ssh/sshd_config.
A confusion arised because a time of the last sshd change was
2004/Sep/04 and giving whatever for a password on an account with
no password did work until pam was updated on 2004/Sep/18. So
some behaviour of pam definitely did change. Maybe for better;
but this was not sshd responsible here (as shown in quoted
fragments of "authentication failure" messages from pam_unix).
As far as I can tell 'pam_unix' does have 'nullok' present via
/etc/pam.d/system-auth which was always at default.
Ah, yes of course, because the old behaviour of ignoring the
PermitEmptyPasswords option was actually a bug in pam which was fixed
in the 0.77-56 release.
See bug 127054