Bug 9299 - add "emptycheck" option to pam_pwdb module
add "emptycheck" option to pam_pwdb module
Product: Red Hat Raw Hide
Classification: Retired
Component: pam (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2000-02-10 09:09 EST by Jonathan Kamens
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-05-22 11:36:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to add "emptycheck" to pam_pwdb (2.37 KB, patch)
2000-02-10 09:10 EST, Jonathan Kamens
no flags Details | Diff

  None (edit)
Description Jonathan Kamens 2000-02-10 09:09:51 EST
Whenever an ssh1 client attempts to connect to an ssh1 server, the server
first attempts to authenticate the client using an empty password, so that
if the user's password is indeed empty, he will be logged in without ever
being prompted for it.

If the user's password is *not* empty, pam_pwdb generates a syslog message
claiming that an authentication failure occurred; in fact, the "failure" is
just a normal check for an empty password.  The problem is that automated
syslog watchers have no good way to distinguish between this harmless
failure and failures indicating real attempts to break into the system.

The attached patch adds a new "emptycheck" optionto the pam_pwdb module.
When that option is specified, a service attempts to authenticate with an
empty password, and the user's password isn't actually empty, the generated
log message is modified to indicate that an empty password was specified,
so that syslog watchers can filter the message out based on services for
which this is permissible.

In other words, instead of this:

Feb 10 08:53:04 jik PAM_pwdb[24207]: authentication failure; (uid=0) -> jik
for ssh service

it says this:

Feb 10 09:07:38 jik PAM_pwdb[25622]: authentication failure (empty password
specified); (uid=0) -> jik for ssh service
Comment 1 Jonathan Kamens 2000-02-10 09:10:59 EST
Created attachment 107 [details]
patch to add "emptycheck" to pam_pwdb
Comment 2 Jonathan Kamens 2000-02-10 09:11:59 EST
One thing I forgot to mention is that the patch doesn't change the behavior of
PAM at all unless "emptycheck" is added to the appropriate line in the
/etc/pam.d configuration file for the service.  Of course, I can't submit a
patch to the ssh maintainers suggesting that they add that option until it's
actually supported by PAM :-).
Comment 3 Cristian Gafton 2000-05-22 11:36:59 EDT
assigned to nalin
Comment 4 Brent Fox 2002-06-04 14:57:16 EDT
Wow this bug is old.  I'm going to close it because most likely has been fixed.
 If it still occurs in 7.3, please reopen it.

Note You need to log in before you can comment on or make changes to this bug.