This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 21268 - PermitEmptyPasswords=yes terminates SSH sessions
PermitEmptyPasswords=yes terminates SSH sessions
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-11-22 16:54 EST by Derek Poon
Modified: 2008-05-01 11:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-11-29 15:23:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Derek Poon 2000-11-22 16:54:19 EST
This bug was introduced when updating from openssh-server-2.1.1p4-1 to
openssh-server-2.3.0p1-4.i386.rpm.  With 2.3.0p1, if /etc/ssh/sshd_config
has "PermitEmptyPasswords yes", then a client logging in using a DSA key
immediately has its  session terminated.  This did not happen with 2.1.1p4

Here's the output from "ssh -v localhost" with 2.3.0p1:

$ ssh -v localhost
SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /home/dpoon/.ssh/config
debug: Reading configuration data /etc/ssh/ssh_config
debug: Applying options for *
debug: Seeding random number generator
debug: ssh_connect: getuid 500 geteuid 0 anon 0
debug: Connecting to localhost [127.0.0.1] port 22.
debug: Allocated local port 1022.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version
OpenSSH_2.3.0p1
debug: no match: OpenSSH_2.3.0p1
Enabling compatibility mode for protocol 2.0
debug: Local version string SSH-2.0-OpenSSH_2.3.0p1
debug: Seeding random number generator
debug: send KEXINIT
debug: done
debug: wait KEXINIT
debug: got kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug: got kexinit: ssh-dss
debug: got kexinit:
3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug: got kexinit:
3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com
debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com
debug: got kexinit: none,zlib
debug: got kexinit: none,zlib
debug: got kexinit: 
debug: got kexinit: 
debug: first kex follow: 0 
debug: reserved: 0 
debug: done
debug: kex: server->client 3des-cbc hmac-sha1 zlib
debug: kex: client->server 3des-cbc hmac-sha1 zlib
debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST.
debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP.
debug: Got SSH2_MSG_KEX_DH_GEX_GROUP.
debug: bits set: 1027/2049
debug: Sending SSH2_MSG_KEX_DH_GEX_INIT.
debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY.
debug: Got SSH2_MSG_KEXDH_REPLY.
debug: Forcing accepting of host key for loopback/localhost.
debug: bits set: 1041/2049
debug: len 55 datafellows 0
debug: dsa_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: Enabling compression at level 6.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue:
publickey,keyboard-interactive,password
debug: next auth method to try is publickey
debug: trying DSA agent key /home/dpoon/.ssh/id_dsa
debug: ssh-userauth2 successfull: method publickey
debug: channel 0: new [client-session]
debug: send channel open 0
debug: Entering interactive session.
debug: client_init id 0 arg 0
debug: Requesting X11 forwarding with authentication spoofing.
debug: channel request 0: shell
debug: channel 0: open confirm rwindow 0 rmax 16384
Connection to localhost closed by remote host.
Connection to localhost closed.
debug: Transferred: stdin 0, stdout 0, stderr 81 bytes in 0.1 seconds
debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 1177.6
debug: Exit status -1
debug: compress outgoing: raw data 767, compressed 697, factor 0.91
debug: compress incoming: raw data 80, compressed 77, factor 0.96
Comment 1 Pekka Savola 2000-11-23 17:11:06 EST
Works for me (the server isn't RHL7 though).

I'd debug sshd too. 

Does replacing /etc/pam.d/sshd with the earlier version
help? (now, pam_stack + system-auth is used)

E.g.:
---
#%PAM-1.0
auth       required     /lib/security/pam_pwdb.so shadow nodelay
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
session    required     /lib/security/pam_pwdb.so
session    required     /lib/security/pam_limits.so
---
Comment 2 Nalin Dahyabhai 2000-11-28 18:50:28 EST
I can duplicate this with both 2.1.1p4 and 2.3.0p1, which is not good.  I'll
need to investigate further.
Comment 3 Nalin Dahyabhai 2000-11-29 15:23:09 EST
I think the 2.3.0p1-6 packages in http://people.redhat.com/nalin/test/ will fix
this.  If you can, please test them and let me know if they do.
Comment 4 Nalin Dahyabhai 2001-01-22 22:37:21 EST
Verified as fixed in Raw Hide.

Note You need to log in before you can comment on or make changes to this bug.