summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2000-01-03 20:00:52 +1100
committerDamien Miller <djm@mindrot.org>2000-01-03 20:00:52 +1100
commite9c8f4dfdc0117fb02b9d9a421f07464ccadfcff (patch)
tree913ab445f121847b23814d849ce74c23facbda27
parent645c598d3c6c64f1f20de6fc43d4484033417b4d (diff)
- Removed "nullok" directive from default PAM configuration files.
Added information on enabling EmptyPasswords on openssh+PAM in UPGRADING file.
-rw-r--r--ChangeLog3
-rw-r--r--UPGRADING21
-rw-r--r--packages/redhat/sshd.pam2
-rw-r--r--sshd.pam.generic2
4 files changed, 26 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index d2413c16..53236e09 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,9 @@
- Add explicit make rules for files proccessed by fixpaths.
- Fix "make install" in RPM spec files. Report from Tenkou N. Hattori
<tnh@kondara.org>
+ - Removed "nullok" directive from default PAM configuration files.
+ Added information on enabling EmptyPasswords on openssh+PAM in
+ UPGRADING file.
20000102
- Prevent multiple inclusion of config.h and defines.h. Suggested
diff --git a/UPGRADING b/UPGRADING
index 56585de4..6350fe04 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -57,3 +57,24 @@ If it annoys you too much, set "PermitEmptyPasswords no" in
sshd_config. This will quiet the error message at the expense of
disabling logins to accounts with no password set. This is the
default if you use the supplied sshd_config file.
+
+6. Empty passwords not allowed with PAM authentication
+
+To enable empty passwords with a version of OpenSSH built with PAM you
+must add the flag "nullok" to the end of the password checking module
+in the /etc/pam.d/sshd file. For example:
+
+auth required/lib/security/pam_unix.so shadow nodelay nullok
+
+This must be done in addtion to setting "PermitEmptyPasswords yes"
+in the sshd_config file.
+
+There is one caveat when using empty passwords with PAM
+authentication: PAM will allow _any_ password when authenticating
+an account with an empty password. This breaks the check that sshd
+uses to determined whether an account has no password set and grant
+users access to the account regardless of the policy specified by
+"PermitEmptyPasswords". For this reason, it is recommended that you do
+not add the "nullok" directive to your PAM configuration file unless
+you specifically wish to allow empty passwords.
+
diff --git a/packages/redhat/sshd.pam b/packages/redhat/sshd.pam
index 9ec42469..26dcb34d 100644
--- a/packages/redhat/sshd.pam
+++ b/packages/redhat/sshd.pam
@@ -1,5 +1,5 @@
#%PAM-1.0
-auth required /lib/security/pam_pwdb.so shadow nodelay nullok
+auth required /lib/security/pam_pwdb.so shadow nodelay
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
diff --git a/sshd.pam.generic b/sshd.pam.generic
index 11e620de..cf5af302 100644
--- a/sshd.pam.generic
+++ b/sshd.pam.generic
@@ -1,5 +1,5 @@
#%PAM-1.0
-auth required /lib/security/pam_unix.so shadow nodelay nullok
+auth required /lib/security/pam_unix.so shadow nodelay
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so