Bug 8083 - pam_pwdb with nullok accepts any password for passwordless accounts
pam_pwdb with nullok accepts any password for passwordless accounts
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Cristian Gafton
: Security
Depends On:
  Show dependency treegraph
Reported: 1999-12-31 08:08 EST by Leos Bitto
Modified: 2008-05-01 11:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-02-05 15:17:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Leos Bitto 1999-12-31 08:08:38 EST
When you use pam_pwdb with nullok (the default RH 6.1 setting), and the
account you are trying to log on has no password (passwd -d xyz => ^xyz::
in /etc/shadow), pam_pwdb will let you log in with any password, not only
with the empty one. I use pam-0.68-8 with shadow passwords and md5, which
is the default RH 6.1 setting. I think that this might turn into a security
problem in applications which blindly trust PAM. It already fools OpenSSH's
parameter "PermitEmptyPasswords no", for example. It doesn't allow you to
log in with empty password, but pam_pwdb offers you zillions of other
Comment 1 Bill Nottingham 2000-02-05 15:17:59 EST
Fixed in the errata.

Note You need to log in before you can comment on or make changes to this bug.