Bug 9299 - add "emptycheck" option to pam_pwdb module
Summary: add "emptycheck" option to pam_pwdb module
Alias: None
Product: Red Hat Raw Hide
Classification: Retired
Component: pam   
(Show other bugs)
Version: 1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
Keywords: FutureFeature
Depends On:
TreeView+ depends on / blocked
Reported: 2000-02-10 14:09 UTC by Jonathan Kamens
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-05-22 15:36:42 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to add "emptycheck" to pam_pwdb (2.37 KB, patch)
2000-02-10 14:10 UTC, Jonathan Kamens
no flags Details | Diff

Description Jonathan Kamens 2000-02-10 14:09:51 UTC
Whenever an ssh1 client attempts to connect to an ssh1 server, the server
first attempts to authenticate the client using an empty password, so that
if the user's password is indeed empty, he will be logged in without ever
being prompted for it.

If the user's password is *not* empty, pam_pwdb generates a syslog message
claiming that an authentication failure occurred; in fact, the "failure" is
just a normal check for an empty password.  The problem is that automated
syslog watchers have no good way to distinguish between this harmless
failure and failures indicating real attempts to break into the system.

The attached patch adds a new "emptycheck" optionto the pam_pwdb module.
When that option is specified, a service attempts to authenticate with an
empty password, and the user's password isn't actually empty, the generated
log message is modified to indicate that an empty password was specified,
so that syslog watchers can filter the message out based on services for
which this is permissible.

In other words, instead of this:

Feb 10 08:53:04 jik PAM_pwdb[24207]: authentication failure; (uid=0) -> jik
for ssh service

it says this:

Feb 10 09:07:38 jik PAM_pwdb[25622]: authentication failure (empty password
specified); (uid=0) -> jik for ssh service

Comment 1 Jonathan Kamens 2000-02-10 14:10:59 UTC
Created attachment 107 [details]
patch to add "emptycheck" to pam_pwdb

Comment 2 Jonathan Kamens 2000-02-10 14:11:59 UTC
One thing I forgot to mention is that the patch doesn't change the behavior of
PAM at all unless "emptycheck" is added to the appropriate line in the
/etc/pam.d configuration file for the service.  Of course, I can't submit a
patch to the ssh maintainers suggesting that they add that option until it's
actually supported by PAM :-).

Comment 3 Cristian Gafton 2000-05-22 15:36:59 UTC
assigned to nalin

Comment 4 Brent Fox 2002-06-04 18:57:16 UTC
Wow this bug is old.  I'm going to close it because most likely has been fixed.
 If it still occurs in 7.3, please reopen it.

Note You need to log in before you can comment on or make changes to this bug.