From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Description of problem: After upgrading to pam-0.75-12 it's possible to log into the system with any admistrative account such as uucp or operator, provided they have a valid login shell and despite the presence of a star (*) or double bang (!!) in their /etc/shadow password field. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. It works from the console and also with su (not with ssh because empty passwords are disallowed by default) 2. If password is requested, just hit enter 3. On some setups, the system users might have an expired password and login will ask to change the password before proceeding. Actual Results: Any unauthorized user can (remotely) log into the machine with unusually high privileges (not root's, but almost as dangerous). Expected Results: The default action for a disabled passwords should be to refuse logins. Logins work fine for uses with valid passwords. Additional info: Reverting to pam-0.75-4 should fix the problem. I couldn't test it since this package is no longer available in the RawHide ftp site and the roswell directory is currently unaccessible (permissions 600). However, I was able to confirm that another system still running 0.75-4 was not vulnerable and started to behave as described as soon as PAM was upgraded to -12.
Please review this report as soon as possible. It's either some subtle configuration mistake of my own or a very serious issue. In either case, a system that was previously secure has been compromised by upgrading a single RPM package, so it shouldn't be underestimated.
This bug was fixed in pam-0.75-14 and later. Thanks!