Description of problem: In default configuration, proftpd authenticates against PAM using the "proftpd" config. This config basically includes the "password-auth" rules, which contain auth sufficient pam_unix.so nullok try_first_pass Thus, users with a deleted password can authenticate via FTP by providing nothing or a random string as a password - you can type whatever you want as a password, it will get accepted and you will be logged in with the identity of the existing user name you provided. This can be prevented by setting auth sufficient pam_unix.so try_first_pass likeauth in the proftpd PAM configuration. Version-Release number of selected component (if applicable): Version: proftpd 1.3.5e Release: 10.el7 Arch: x86_64 How reproducible: 1. Install proftpd with default config 2. Create a user with a valid shell, but omit password (like, for example, you do when running a service in its own identity) -- as a side note: If you set "RequireValidShell off", a usable shell isn't needed 3. Use "passwd -d username" to delete the password 4. Connect to FTP, provide the user name of the account you just created with a totally random password 5. You are logged in now Actual results: You are logged in by simply knowing the name of an existing user Expected results: You can't login by just guessing user names Additional info: This might be a bug in passwd, since deleting a password will not set "!!" in the password field, but just leave it blank. So, this *might* affect other services, but at the moment, I can't test.
It seems to me that this is at least close to the intended behaviour. The "passwd -d" deletes the password to facilitate passwordless login for that user. So why shouldn't the FTP server honour that and allow login with any password?
I see, passwd -d seems not to be the best choice if you want to remove passwords. Unfortunately, unlike i.e. sshd or vsftpd, proftpd has no option to disallow logins with empty passwords by itself. Proftpd has an option "AllowEmptyPasswords", which can be set to disallow empty password, but this option does not exist in version 1.3.5e shipped in epel7 since it was introduced with version 1.3.6. IMHO it might be a sensitive option to prevent passwordless logins through PAM for proftpd by default.
OK, I propose to adopt the proposed PAM change for EPEL-7 only, since the Fedora and EPEL-8 versions can use the "AllowEmptyPasswords" option to prevent use of empty passwords. Does that sound reasonable?