From 36a5b38eb813fdd1d8da0731b33aa967a066d8b8 Mon Sep 17 00:00:00 2001 From: damien Date: Sun, 26 Dec 1999 23:45:54 +0000 Subject: [PATCH] - PAM bugfix. PermitEmptyPassword was being ignored. - Fixed PAM config files to allow empty passwords if server does. - Explained spurious PAM auth warning workaround in UPGRADING --- ChangeLog | 3 +++ TODO | 4 +--- UPGRADING | 3 +++ packages/redhat/sshd.pam | 2 +- sshd.c | 3 +++ sshd.pam.generic | 2 +- 6 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9cf24547..575b8b17 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ - Removed credits from README to CREDITS file, updated. - Added --with-default-path to specify custom path for server - Removed #ifdef trickery from acconfig.h into defines.h + - PAM bugfix. PermitEmptyPassword was being ignored. + - Fixed PAM config files to allow empty passwords if server does. + - Explained spurious PAM auth warning workaround in UPGRADING 19991226 - Enabled utmpx support by default for Solaris diff --git a/TODO b/TODO index fffdb1ca..1d07c5c6 100644 --- a/TODO +++ b/TODO @@ -4,9 +4,7 @@ - Better documentation -- Port to other platforms (Finish Solaris support) - -- Fix paths in manpages using autoconf +- Port to other platforms - Better testing on non-PAM systems diff --git a/UPGRADING b/UPGRADING index 854bd229..526d5789 100644 --- a/UPGRADING +++ b/UPGRADING @@ -53,3 +53,6 @@ These are generated because OpenSSH first tries to determine whether a user needs authentication to login (e.g. empty password). Unfortunatly PAM likes to log all authentication events, this one included. +If it annoys you too much, set "PermitEmptyPasswords no" in +sshd_config. This will quiet the error message at the expense of +disabling logins to accounts with no password set. diff --git a/packages/redhat/sshd.pam b/packages/redhat/sshd.pam index 26dcb34d..9ec42469 100644 --- a/packages/redhat/sshd.pam +++ b/packages/redhat/sshd.pam @@ -1,5 +1,5 @@ #%PAM-1.0 -auth required /lib/security/pam_pwdb.so shadow nodelay +auth required /lib/security/pam_pwdb.so shadow nodelay nullok auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so diff --git a/sshd.c b/sshd.c index 46a327f8..f3169078 100644 --- a/sshd.c +++ b/sshd.c @@ -242,6 +242,9 @@ int do_pam_auth(const char *user, const char *password) { int pam_retval; + if ((options.permit_empty_passwd == 0) && (password[0] == '\0') + return 0; + pampasswd = password; pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); diff --git a/sshd.pam.generic b/sshd.pam.generic index cf5af302..11e620de 100644 --- a/sshd.pam.generic +++ b/sshd.pam.generic @@ -1,5 +1,5 @@ #%PAM-1.0 -auth required /lib/security/pam_unix.so shadow nodelay +auth required /lib/security/pam_unix.so shadow nodelay nullok auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so -- 2.45.2