8083 – pam_pwdb with nullok accepts any password for passwordless accounts

Bug 8083 - pam_pwdb with nullok accepts any password for passwordless accounts

Summary: pam_pwdb with nullok accepts any password for passwordless accounts

Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	pam
Sub Component:
Version:	6.1
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Cristian Gafton
QA Contact:
Docs Contact:
URL:
Whiteboard:
Keywords:	Security
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	1999-12-31 13:08 UTC by Leos Bitto
Modified:	2008-05-01 15:37 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit)
Clone Of:
Environment:	(edit)
Last Closed:	2000-02-05 20:17:21 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Leos Bitto 1999-12-31 13:08:38 UTC

When you use pam_pwdb with nullok (the default RH 6.1 setting), and the
account you are trying to log on has no password (passwd -d xyz => ^xyz::
in /etc/shadow), pam_pwdb will let you log in with any password, not only
with the empty one. I use pam-0.68-8 with shadow passwords and md5, which
is the default RH 6.1 setting. I think that this might turn into a security
problem in applications which blindly trust PAM. It already fools OpenSSH's
parameter "PermitEmptyPasswords no", for example. It doesn't allow you to
log in with empty password, but pam_pwdb offers you zillions of other
passwords...

Comment 1 Bill Nottingham 2000-02-05 20:17:59 UTC

Fixed in the errata.

Note You need to log in before you can comment on or make changes to this bug.