235 – While PermitEmptyPasswords no, user can connect, entering ANY other password

Bug 235 - While PermitEmptyPasswords no, user can connect, entering ANY other password

Summary: While PermitEmptyPasswords no, user can connect, entering ANY other password

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	-current
Hardware:	ix86 Linux

Importance:	P2 major
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2002-05-05 23:45 AEST by MaxiM Basunov
Modified:	2004-04-14 12:24 AEST (History)
CC List:	0 users

See Also:

Attachments
Try the following patch to auth-passwd.c (592 bytes, patch) 2002-05-06 06:09 AEST, Ben Lindstrom	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description MaxiM Basunov 2002-05-05 23:45:50 AEST

set "PermitEmptyPasswords no" in sshd_config
useradd test
vi shadow for setting EMPTY password
ssh test@localhost
after prompt "test@localhost's password:", enter any non empty password.

Authorization succeeds and "remote" user gain access to system.
It also valid if user is root.

Comment 1 Ben Lindstrom 2002-05-06 06:09:32 AEST

Created attachment 92 [details]
Try the following patch to auth-passwd.c

Comment 2 Damien Miller 2002-05-06 09:28:07 AEST

Are you using PAM? Your problem isn't related to
http://www.openssh.com/faq.html#3.2, is it?

Comment 3 Ben Lindstrom 2002-05-06 10:56:38 AEST

DJM, as stated in the private list I can reproduce this with OpenBSD's release
so it is not PAM related.  Just bad code that we picked up from back in the
old SSH Corp releases.

Comment 4 Kevin Steves 2002-07-18 15:17:59 AEST

this was fixed in openbsd and is documented for linux PAM.

Comment 5 Damien Miller 2004-04-14 12:24:18 AEST

Mass change of RESOLVED bugs to CLOSED