From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Description of problem:
After upgrading to pam-0.75-12 it's possible to log into the
system with any admistrative account such as uucp or operator,
provided they have a valid login shell and despite the
presence of a star (*) or double bang (!!) in their
/etc/shadow password field.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. It works from the console and also with su
(not with ssh because empty passwords are
disallowed by default)
2. If password is requested, just hit enter
3. On some setups, the system users might have an
expired password and login will ask to change the
password before proceeding.
Actual Results: Any unauthorized user can (remotely) log into the
unusually high privileges (not root's, but almost as dangerous).
Expected Results: The default action for a disabled passwords should be
to refuse logins. Logins work fine for uses with valid passwords.
Reverting to pam-0.75-4 should fix the problem. I couldn't test it since
this package is no longer available in the RawHide ftp site and the
roswell directory is currently unaccessible (permissions 600).
However, I was able to confirm that another system still running 0.75-4
was not vulnerable and started to behave as described as soon as PAM was
upgraded to -12.
Please review this report as soon as possible. It's either some
subtle configuration mistake of my own or a very serious issue.
In either case, a system that was previously secure has been
compromised by upgrading a single RPM package, so it shouldn't be
This bug was fixed in pam-0.75-14 and later. Thanks!