summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>1999-12-27 10:45:54 +1100
committerDamien Miller <djm@mindrot.org>1999-12-27 10:45:54 +1100
commit373d2917a8349aa39f31791ceaaf7fc21b945084 (patch)
tree1d1c6e1ca281d1511d6817bdbd61930e0bc06ff3
parent5a3e68382d3414b922af58a19196635d750581ca (diff)
- PAM bugfix. PermitEmptyPassword was being ignored.
- Fixed PAM config files to allow empty passwords if server does. - Explained spurious PAM auth warning workaround in UPGRADING
-rw-r--r--ChangeLog3
-rw-r--r--TODO4
-rw-r--r--UPGRADING3
-rw-r--r--packages/redhat/sshd.pam2
-rw-r--r--sshd.c5
-rw-r--r--sshd.pam.generic2
6 files changed, 13 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index 9cf24547..575b8b17 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,9 @@
- Removed credits from README to CREDITS file, updated.
- Added --with-default-path to specify custom path for server
- Removed #ifdef trickery from acconfig.h into defines.h
+ - PAM bugfix. PermitEmptyPassword was being ignored.
+ - Fixed PAM config files to allow empty passwords if server does.
+ - Explained spurious PAM auth warning workaround in UPGRADING
19991226
- Enabled utmpx support by default for Solaris
diff --git a/TODO b/TODO
index fffdb1ca..1d07c5c6 100644
--- a/TODO
+++ b/TODO
@@ -4,9 +4,7 @@
- Better documentation
-- Port to other platforms (Finish Solaris support)
-
-- Fix paths in manpages using autoconf
+- Port to other platforms
- Better testing on non-PAM systems
diff --git a/UPGRADING b/UPGRADING
index 854bd229..526d5789 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -53,3 +53,6 @@ These are generated because OpenSSH first tries to determine whether a
user needs authentication to login (e.g. empty password). Unfortunatly
PAM likes to log all authentication events, this one included.
+If it annoys you too much, set "PermitEmptyPasswords no" in
+sshd_config. This will quiet the error message at the expense of
+disabling logins to accounts with no password set.
diff --git a/packages/redhat/sshd.pam b/packages/redhat/sshd.pam
index 26dcb34d..9ec42469 100644
--- a/packages/redhat/sshd.pam
+++ b/packages/redhat/sshd.pam
@@ -1,5 +1,5 @@
#%PAM-1.0
-auth required /lib/security/pam_pwdb.so shadow nodelay
+auth required /lib/security/pam_pwdb.so shadow nodelay nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
diff --git a/sshd.c b/sshd.c
index e3596de5..761ed52c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -11,7 +11,7 @@
*/
#include "includes.h"
-RCSID("$Id: sshd.c,v 1.43 1999/12/26 03:04:33 damien Exp $");
+RCSID("$Id: sshd.c,v 1.44 1999/12/26 23:45:54 damien Exp $");
#ifdef HAVE_POLL_H
# include <poll.h>
@@ -242,6 +242,9 @@ int do_pam_auth(const char *user, const char *password)
{
int pam_retval;
+ if ((options.permit_empty_passwd == 0) && (password[0] == '\0')
+ return 0;
+
pampasswd = password;
pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
diff --git a/sshd.pam.generic b/sshd.pam.generic
index cf5af302..11e620de 100644
--- a/sshd.pam.generic
+++ b/sshd.pam.generic
@@ -1,5 +1,5 @@
#%PAM-1.0
-auth required /lib/security/pam_unix.so shadow nodelay
+auth required /lib/security/pam_unix.so shadow nodelay nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so