First Last Prev Next    This bug is not in your last search results.
Bug 8083 - pam_pwdb with nullok accepts any password for passwordless accounts
pam_pwdb with nullok accepts any password for passwordless accounts
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
6.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Cristian Gafton
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-12-31 08:08 EST by Leos Bitto
Modified: 2008-05-01 11:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-02-05 15:17:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Leos Bitto 1999-12-31 08:08:38 EST 
When you use pam_pwdb with nullok (the default RH 6.1 setting), and the
account you are trying to log on has no password (passwd -d xyz => ^xyz::
in /etc/shadow), pam_pwdb will let you log in with any password, not only
with the empty one. I use pam-0.68-8 with shadow passwords and md5, which
is the default RH 6.1 setting. I think that this might turn into a security
problem in applications which blindly trust PAM. It already fools OpenSSH's
parameter "PermitEmptyPasswords no", for example. It doesn't allow you to
log in with empty password, but pam_pwdb offers you zillions of other
passwords...
Comment 1 Bill Nottingham 2000-02-05 15:17:59 EST 
Fixed in the errata.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.