Bug 235

Summary: While PermitEmptyPasswords no, user can connect, entering ANY other password
Product: Portable OpenSSH Reporter: MaxiM Basunov <maxim>
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED FIXED    
Severity: major    
Priority: P2    
Version: -current   
Hardware: ix86   
OS: Linux   
Attachments:
Description Flags
Try the following patch to auth-passwd.c none

Description MaxiM Basunov 2002-05-05 23:45:50 AEST 
set "PermitEmptyPasswords no" in sshd_config
useradd test
vi shadow for setting EMPTY password
ssh test@localhost
after prompt "test@localhost's password:", enter any non empty password.

Authorization succeeds and "remote" user gain access to system.
It also valid if user is root.
Comment 1 Ben Lindstrom 2002-05-06 06:09:32 AEST 
Created attachment 92 [details]
Try the following patch to auth-passwd.c
Comment 2 Damien Miller 2002-05-06 09:28:07 AEST 
Are you using PAM? Your problem isn't related to
http://www.openssh.com/faq.html#3.2, is it?
Comment 3 Ben Lindstrom 2002-05-06 10:56:38 AEST 
DJM, as stated in the private list I can reproduce this with OpenBSD's release
so it is not PAM related.  Just bad code that we picked up from back in the
old SSH Corp releases.
Comment 4 Kevin Steves 2002-07-18 15:17:59 AEST 
this was fixed in openbsd and is documented for linux PAM.
Comment 5 Damien Miller 2004-04-14 12:24:18 AEST 
Mass change of RESOLVED bugs to CLOSED