Bug 132893 - pam appears not to work as documented anymore
Summary: pam appears not to work as documented anymore
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-09-18 21:37 UTC by Michal Jaegermann
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-09-20 09:05:27 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Michal Jaegermann 2004-09-18 21:37:22 UTC
Description of problem:

Pam documentation states in section 6.19.4 "Authentication component"

        The default action of this module is to not permit the user
        access to a service if their official password is blank. The
        nullok argument overrides this default.

It is not entirely clear to which component this section refers
but apparently to "auth".  In any case in /etc/pam.d/system-auth
'nullok' does show up on lines with
"auth        sufficient" and "password    sufficient".
Still any attempt to ssh to an account with a null password
is suddenly rejected with something like:
"... sshd(pam_unix)[5643]: authentication failure; ..."
in /var/log/messages.

An attempt to change "a paranoid setting" for 'other' to something
else does not help nor adding 'nullok' in various places
in /etc/pam.d/sshd.  In any case 'service=system-auth' is supposedly
taking care of that, right?  It is hard to figure out what really
may happened especially that adding 'debug' parameters does
not seem to have any discernible effect.

I do appreciate secure defaults but trying to save me from myself
is way too much.  I have my reasons to want what I want.

Version-Release number of selected component (if applicable):
pam-0.77-56

Comment 1 Tomas Mraz 2004-09-20 09:05:27 UTC
If you looked at the documentation closely you would note that section
6.19 is about module pam_pwdb. This module isn't used in the current
Fedora Core distros.

However the pam_unix module has the same option nullok which enables
empty passwords. And this option is included in the system-auth file
and works well.

SSH doesn't accept empty password, because by default it has not
enabled PermitEmptyPasswords option in /etc/ssh/sshd_config.


Comment 2 Michal Jaegermann 2004-09-20 15:20:18 UTC
A confusion arised because a time of the last sshd change was
2004/Sep/04 and giving whatever for a password on an account with
no password did work until pam was updated on 2004/Sep/18.  So
some behaviour of pam definitely did change.  Maybe for better;
but this was not sshd responsible here (as shown in quoted
fragments of "authentication failure" messages from pam_unix).

As far as I can tell 'pam_unix' does have 'nullok' present via
/etc/pam.d/system-auth which was always at default.

Comment 3 Tomas Mraz 2004-09-20 15:49:57 UTC
Ah, yes of course, because the old behaviour of ignoring the
PermitEmptyPasswords option was actually a bug in pam which was fixed
in the 0.77-56 release.

See bug 127054


Note You need to log in before you can comment on or make changes to this bug.