Bug 609

Summary: empty password accounts can login with random password
Product: Portable OpenSSH Reporter: Andrew Daviel <advax>
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED INVALID    
Severity: security CC: matthewg
Priority: P2    
Version: 3.6.1p2   
Hardware: ix86   
OS: Linux   

Description Andrew Daviel 2003-07-01 09:39:04 AEST 
A RedHat 9.0 system (with RedHat's openssh-server-3.5p1-6) is configured with 
"PermitEmptyPasswords no".
An account is created with an empty password (null in /etc/shadow). The intent
is to allow console logins only. This works on A RedHat 8.0 system with 
OpenSSH openssh-server-3.4p1-2.

SSH logins with an empty password are indeed blocked (unless 
"PermitEmptyPasswords yes" is set).

However, any random password will allow login. On RedHat 8, it won't.

I notice that if I list allowed remote users in "AllowUsers" then I can block
the local-only user, which provides a workaround (or may be a better solution
than just blocking empty passwords)
Comment 1 Darren Tucker 2003-07-01 09:55:09 AEST 
Can you reproduce this with vanilla openssh-3.6.1p2 (eg from ftp.ca.openbsd.org
) configured --with-pam?
Comment 2 Matthew Sachs 2003-07-01 10:37:56 AEST 
I think that bug #611 might be the cause of this.
Comment 3 Damien Miller 2003-07-01 11:00:27 AEST 
RTFM, or get your distributor to:

http://www.openssh.com/faq.html#3.2
Comment 4 Darren Tucker 2003-07-01 11:03:38 AEST 
As a workaround, you could give your no-password user a shell that's not listed 
in /etc/shells.  This will cause sshd to deny the connection attempt very early 
in the authentication process.
Comment 5 Damien Miller 2003-07-01 11:10:34 AEST 
There is no need for an additional workaround - one must remove the "nullok"
flag in the PAM conf.

Really, the bug is in PAM itself.
Comment 6 Andrew Daviel 2003-07-01 14:23:53 AEST 
OK, after messing around trying 3.6.1p2 I realize I had a "DenyUsers" line
in sshd_config on the RedHat 8 system which I had forgotten about.
The RedHat sshd.pam does not have nullok but it is chained to system-auth
which does. I guess unchaining it might work but I don't want to depart
too much from the stock distro especially in things I don't really understand
(like PAM)

So the issue is that PermitEmptyPasswords is ignored if PAM is used.
If PAM is really broken like this then maybe a note in the sshd_config manpage
is in order.
Comment 7 Damien Miller 2004-04-14 12:24:19 AEST 
Mass change of RESOLVED bugs to CLOSED