Bug 148766 - sshd seems to be caching user passwords
Summary: sshd seems to be caching user passwords
Keywords:
Status: CLOSED DUPLICATE of bug 136855
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-02-15 14:04 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-02-15 14:40:49 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Josh Bressers 2005-02-15 14:04:14 UTC
This was reported to security by Jason Savoie.  I have verified this
behavior on RHEL3.


Purpose: To disable an account from ssh/telnet/rsh login
Issue: executed the passwd -d <username> command and can still login as
that person with the old password


Hello, I was testing to see how I can make an account unavailable from
normal logins and also from using and ssh publickey authentication (if
they had it and we didn't know it unless we log into account and
manually remove it)


So, here is what I did.

# Created a test account on a machine running the following RH release

-bash-2.05b$ uname -a
Linux orange.westernasset.com 2.4.21-15.ELsmp #1 SMP Thu Apr 22 00:09:01
EDT 2004 x86_64 x86_64 x86_64 GNU/Linux
-bash-2.05b$ id
uid=4086(jsavoie) gid=151(ops) groups=151(ops)
-bash-2.05b$ cat /etc/redhat-release
Red Hat Enterprise Linux AS release 3 (Taroon Update 2)


# Created the account

sudo /usr/sbin/useradd -u 6666 test

# Gave it a password
sudo passwd test

# Went to another machine and logged in.

[jsavoie@rancho jsavoie]$ uname -a
Linux rancho.westernasset.com 2.4.21-15.ELsmp #1 SMP Thu Apr 22 00:09:01
EDT 2004 x86_64 x86_64 x86_64 GNU/Linux
[jsavoie@rancho jsavoie]$ ssh test@orange
test@orange's password:
[test@orange test]$

# Went to the test server and removed the password using the passwd -d
<username> command

bash-2.05b$ sudo passwd -d test
Removing password for user test.
passwd: Success

-bash-2.05b$ sudo grep test /etc/shadow
test::12825:0:99999:7:::

# Now, login from the other machine

[jsavoie@rancho jsavoie]$ ssh test@orange
test@orange's password:
Permission denied, please try again.
test@orange's password:
[test@orange test]$

(NOTE: the first time above was no passwd, then the old password and it
worked!!!)

Comment 1 Josh Bressers 2005-02-15 14:33:41 UTC
I did not have nscd running on the machine I tested this on.

Comment 2 Tomas Mraz 2005-02-15 14:40:49 UTC
No, this is a completely different bug (pam ignores flag which openssh sends to
it when PermitEmptyPasswords is set to no).
You can actually enter any non-empty password to login when user has null password.


*** This bug has been marked as a duplicate of 136855 ***

*** This bug has been marked as a duplicate of 136855 ***


Note You need to log in before you can comment on or make changes to this bug.