Red Hat Bugzilla – Bug 9299
add "emptycheck" option to pam_pwdb module
Last modified: 2008-05-01 11:37:54 EDT
Whenever an ssh1 client attempts to connect to an ssh1 server, the server
first attempts to authenticate the client using an empty password, so that
if the user's password is indeed empty, he will be logged in without ever
being prompted for it.
If the user's password is *not* empty, pam_pwdb generates a syslog message
claiming that an authentication failure occurred; in fact, the "failure" is
just a normal check for an empty password. The problem is that automated
syslog watchers have no good way to distinguish between this harmless
failure and failures indicating real attempts to break into the system.
The attached patch adds a new "emptycheck" optionto the pam_pwdb module.
When that option is specified, a service attempts to authenticate with an
empty password, and the user's password isn't actually empty, the generated
log message is modified to indicate that an empty password was specified,
so that syslog watchers can filter the message out based on services for
which this is permissible.
In other words, instead of this:
Feb 10 08:53:04 jik PAM_pwdb: authentication failure; (uid=0) -> jik
for ssh service
it says this:
Feb 10 09:07:38 jik PAM_pwdb: authentication failure (empty password
specified); (uid=0) -> jik for ssh service
Created attachment 107 [details]
patch to add "emptycheck" to pam_pwdb
One thing I forgot to mention is that the patch doesn't change the behavior of
PAM at all unless "emptycheck" is added to the appropriate line in the
/etc/pam.d configuration file for the service. Of course, I can't submit a
patch to the ssh maintainers suggesting that they add that option until it's
actually supported by PAM :-).
assigned to nalin
Wow this bug is old. I'm going to close it because most likely has been fixed.
If it still occurs in 7.3, please reopen it.