Debian Bug report logs -
#93200
PermitEmptyPasswords seems to have no effect
Reported by: Joey Hess <joeyh@debian.org>
Date: Sat, 7 Apr 2001 10:05:46 UTC
Severity: normal
Merged with 139579
Found in versions 1:2.5.2p2-1, 1:3.0.2p1-8
Forwarded to openssh-unix-dev@mindrot.org
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Philip Hands <phil@hands.com>:
Bug#93200; Package ssh.
(full text, mbox, link).
Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Philip Hands <phil@hands.com>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ssh
Version: 1:2.5.2p2-1
Severity: normal
joey@kite:~>grep Password /etc/ssh/sshd_config
PasswordAuthentication yes
PermitEmptyPasswords yes
Here the "beer" user has an empty password. Telnet doesn't even bother
asking for a password:
kite login: beer
Last login: Sat Apr 7 02:53:44 2001 from localhost on pts/7
OTOH, sshd will not let beer in at all:
joey@kite:~>ssh beer@kitenet.net
beer@kitenet.net's password:
Permission denied, please try again.
beer@kitenet.net's password:
Permission denied, please try again.
beer@kitenet.net's password:
Password:
Received disconnect from 198.144.200.155: 2: too many failed userauth_requests
In each case, I hit enter..
The line in /etc/shadow in question is:
beer::11407:0:99999:7:::
Nothing interesting shows up in the logs, or with ssh -v.
-- System Information
Debian Release: unstable
Architecture: i386
Kernel: Linux kite 2.4.3 #1 Tue Apr 3 20:44:00 PDT 2001 i686
Versions of packages ssh depends on:
ii libc6 2.2.2-4 GNU C Library: Shared libraries an
ii libpam-modules 0.72-18 Pluggable Authentication Modules f
ii libpam0g 0.72-18 Pluggable Authentication Modules l
ii libssl0.9.6 0.9.6-2 SSL shared libraries
ii libwrap0 7.6-7 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.1.3-14 compression library - runtime
--
see shy jo, who wonders if his beer account is gonna get spam now. Hmm.
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#93200; Package ssh.
(full text, mbox, link).
Acknowledgement sent to "Adam McKenna" <adam-dated-1000248167.fb554c@flounder.net>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>.
(full text, mbox, link).
Message #10 received at 93200@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I noticed while investigating Debian Bug #93200
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=93200&repeatmerged=yes)
that sshd refuses a login if /etc/pam.d/ssh doesn't specify "nullok" after
the pam_unix.so module -- is there any way to resolve this problem? It seems
that OpenSSH should override PAM in this case, someone posted a patch on 6/19
that appears to address this problem,
(http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=99293778402235&w=2)
is there any chance this will be fixed in the next release?
Thanks,
--Adam
--
Adam McKenna <adam@flounder.net> | GPG: 17A4 11F7 5E7E C2E7 08AA
http://flounder.net/publickey.html | 38B0 05D0 8BF7 2C6D 110A
[Message part 2 (application/pgp-signature, inline)]
Noted your statement that Bug has been forwarded to openssh-unix-dev@mindrot.org.
Request was from "Adam McKenna" <adam-dated-1000248268.4c4da4@flounder.net>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#93200; Package ssh.
(full text, mbox, link).
Acknowledgement sent to <mouring@etoh.eviladmin.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>.
(full text, mbox, link).
Message #17 received at 93200@bugs.debian.org (full text, mbox, reply):
auth-pam.c in auth_pam_password() already checks for this case in the
current CVS tree. If it still occurs in the current tree than it should
be addressed within auth_pam_password(). Otherwise you need to check
and fix auth1.c and auth2.c.
- Ben
On Thu, 6 Sep 2001, Adam McKenna wrote:
> I noticed while investigating Debian Bug #93200
> (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=93200&repeatmerged=yes)
> that sshd refuses a login if /etc/pam.d/ssh doesn't specify "nullok" after
> the pam_unix.so module -- is there any way to resolve this problem? It seems
> that OpenSSH should override PAM in this case, someone posted a patch on 6/19
> that appears to address this problem,
> (http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=99293778402235&w=2)
> is there any chance this will be fixed in the next release?
>
> Thanks,
>
> --Adam
> --
> Adam McKenna <adam@flounder.net> | GPG: 17A4 11F7 5E7E C2E7 08AA
> http://flounder.net/publickey.html | 38B0 05D0 8BF7 2C6D 110A
>
Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#93200; Package ssh.
(full text, mbox, link).
Acknowledgement sent to Darren Tucker <dtucker@zip.com.au>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>.
(full text, mbox, link).
Message #24 received at 93200@bugs.debian.org (full text, mbox, reply):
Hi.
I've just commited an upstream fix for this "ssh: PermitEmptyPasswords
seems to have no effect" for the keyboard-interactive case. (This is
upstream's auth-pam.c 1.109 -> 1.110).
One thing I did find is that the pam_unix.so flag "nullok" overrides
the PAM_DISALLOW_NULL_AUTHTOK flag passed to the pam_authenticate()
function. This appears to be a bug in PAM (the right behaviour would
seem to be the *least* permissive of the two).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Changed Bug submitter from Joey Hess <joeyh@debian.org> to Joey Hess <joeyh@debian.org>.
Request was from Joey Hess <joeyh@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#93200; Package ssh.
(Thu, 12 Jan 2017 14:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Benoît Allard <benoit.allard@greenbone.net>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>.
(Thu, 12 Jan 2017 14:09:06 GMT) (full text, mbox, link).
Message #31 received at 93200@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Just for clarity, I just ran into this (pretty old !) issue and found
the culprit.
Even though you can configure PermitEmptyPasswords in the sshd_config
file, pam will not allow any passwordless authentication from a non
secure tty (from /etc/securetty). "ssh" is per definition a non-secure
tty. Hence no matter what you put in your sshd_config file, password
less authentication via ssh is not possible unless you either
- replace "nullok_secure" with "nullok" in /etc/pam.d/common-auth, or
- add "ssh" to /etc/securetty.
What was the point of the nullok_secure at the first place ? Having a
second "line-of-defense" against configurations like mine who wish
passwordless (keyless) ssh access ?
Regards,
Ben.
PS: Just for the record, I don't allow world-access to my system, I
have the following in my configuration:
Match User omp
PermitEmptyPasswords yes
ForceCommand /usr/bin/socat UNIX-CONNECT:/path/to/the/socket.sock -
[Message part 2 (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Mar 25 17:40:58 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.