- Removed "nullok" directive from default PAM configuration files.

Added information on enabling EmptyPasswords on openssh+PAM in UPGRADING file.
author: Damien Miller <djm@mindrot.org> 2000-01-03 20:00:52 +1100
committer: Damien Miller <djm@mindrot.org> 2000-01-03 20:00:52 +1100
commit: e9c8f4dfdc0117fb02b9d9a421f07464ccadfcff (patch)
tree: 913ab445f121847b23814d849ce74c23facbda27
parent: 645c598d3c6c64f1f20de6fc43d4484033417b4d (diff)
4 files changed, 26 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index d2413c161..53236e09e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,9 @@
 - Add explicit make rules for files proccessed by fixpaths.
 - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori  
   <tnh@kondara.org>
+ - Removed "nullok" directive from default PAM configuration files. 
+   Added information on enabling EmptyPasswords on openssh+PAM in 
+   UPGRADING file.
 20000102
 - Prevent multiple inclusion of config.h and defines.h. Suggested
diff --git a/UPGRADING b/UPGRADING
index 56585de4b..6350fe048 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -57,3 +57,24 @@ If it annoys you too much, set "PermitEmptyPasswords no" in
 sshd_config. This will quiet the error message at the expense of
 disabling logins to accounts with no password set. This is the 
 default if you use the supplied sshd_config file.
+6. Empty passwords not allowed with PAM authentication
+To enable empty passwords with a version of OpenSSH built with PAM you
+must add the flag "nullok" to the end of the password checking module
+in the /etc/pam.d/sshd file. For example:
+auth required/lib/security/pam_unix.so shadow nodelay nullok
+This must be done in addtion to setting "PermitEmptyPasswords yes"
+in the sshd_config file.
+There is one caveat when using empty passwords with PAM
+authentication: PAM will allow _any_ password when authenticating
+an account with an empty password. This breaks the check that sshd
+uses to determined whether an account has no password set and grant
+users access to the account regardless of the policy specified by
+"PermitEmptyPasswords". For this reason, it is recommended that you do
+not add the "nullok" directive to your PAM configuration file unless
+you specifically wish to allow empty passwords.
diff --git a/packages/redhat/sshd.pam b/packages/redhat/sshd.pam
index 9ec42469e..26dcb34d9 100644
--- a/packages/redhat/sshd.pam
+++ b/packages/redhat/sshd.pam
@@ -1,5 +1,5 @@
 #%PAM-1.0
-auth       required     /lib/security/pam_pwdb.so shadow nodelay nullok
+auth       required     /lib/security/pam_pwdb.so shadow nodelay
 auth       required     /lib/security/pam_nologin.so
 account    required     /lib/security/pam_pwdb.so
 password   required     /lib/security/pam_cracklib.so
diff --git a/sshd.pam.generic b/sshd.pam.generic
index 11e620dea..cf5af3024 100644
--- a/sshd.pam.generic
+++ b/sshd.pam.generic
@@ -1,5 +1,5 @@
 #%PAM-1.0
-auth       required     /lib/security/pam_unix.so shadow nodelay nullok
+auth       required     /lib/security/pam_unix.so shadow nodelay
 auth       required     /lib/security/pam_nologin.so
 account    required     /lib/security/pam_unix.so
 password   required     /lib/security/pam_cracklib.so
author	Damien Miller <djm@mindrot.org>	2000-01-03 20:00:52 +1100
committer	Damien Miller <djm@mindrot.org>	2000-01-03 20:00:52 +1100
commit	e9c8f4dfdc0117fb02b9d9a421f07464ccadfcff (patch)
tree	913ab445f121847b23814d849ce74c23facbda27
parent	645c598d3c6c64f1f20de6fc43d4484033417b4d (diff)

diff --git a/ChangeLog b/ChangeLog index d2413c161..53236e09e 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -2,6 +2,9 @@
2	- Add explicit make rules for files proccessed by fixpaths.	2	- Add explicit make rules for files proccessed by fixpaths.
3	- Fix "make install" in RPM spec files. Report from Tenkou N. Hattori	3	- Fix "make install" in RPM spec files. Report from Tenkou N. Hattori
4	<tnh@kondara.org>	4	<tnh@kondara.org>
		5	- Removed "nullok" directive from default PAM configuration files.
		6	Added information on enabling EmptyPasswords on openssh+PAM in
		7	UPGRADING file.
5		8
6	20000102	9	20000102
7	- Prevent multiple inclusion of config.h and defines.h. Suggested	10	- Prevent multiple inclusion of config.h and defines.h. Suggested


diff --git a/UPGRADING b/UPGRADING index 56585de4b..6350fe048 100644 --- a/UPGRADING +++ b/UPGRADING
@@ -57,3 +57,24 @@ If it annoys you too much, set "PermitEmptyPasswords no" in
57	sshd_config. This will quiet the error message at the expense of	57	sshd_config. This will quiet the error message at the expense of
58	disabling logins to accounts with no password set. This is the	58	disabling logins to accounts with no password set. This is the
59	default if you use the supplied sshd_config file.	59	default if you use the supplied sshd_config file.
		60
		61	6. Empty passwords not allowed with PAM authentication
		62
		63	To enable empty passwords with a version of OpenSSH built with PAM you
		64	must add the flag "nullok" to the end of the password checking module
		65	in the /etc/pam.d/sshd file. For example:
		66
		67	auth required/lib/security/pam_unix.so shadow nodelay nullok
		68
		69	This must be done in addtion to setting "PermitEmptyPasswords yes"
		70	in the sshd_config file.
		71
		72	There is one caveat when using empty passwords with PAM
		73	authentication: PAM will allow _any_ password when authenticating
		74	an account with an empty password. This breaks the check that sshd
		75	uses to determined whether an account has no password set and grant
		76	users access to the account regardless of the policy specified by
		77	"PermitEmptyPasswords". For this reason, it is recommended that you do
		78	not add the "nullok" directive to your PAM configuration file unless
		79	you specifically wish to allow empty passwords.
		80


diff --git a/packages/redhat/sshd.pam b/packages/redhat/sshd.pam index 9ec42469e..26dcb34d9 100644 --- a/packages/redhat/sshd.pam +++ b/packages/redhat/sshd.pam
@@ -1,5 +1,5 @@
1	#%PAM-1.0	1	#%PAM-1.0
2	auth required /lib/security/pam_pwdb.so shadow nodelay nullok	2	auth required /lib/security/pam_pwdb.so shadow nodelay
3	auth required /lib/security/pam_nologin.so	3	auth required /lib/security/pam_nologin.so
4	account required /lib/security/pam_pwdb.so	4	account required /lib/security/pam_pwdb.so
5	password required /lib/security/pam_cracklib.so	5	password required /lib/security/pam_cracklib.so


diff --git a/sshd.pam.generic b/sshd.pam.generic index 11e620dea..cf5af3024 100644 --- a/sshd.pam.generic +++ b/sshd.pam.generic
@@ -1,5 +1,5 @@
1	#%PAM-1.0	1	#%PAM-1.0
2	auth required /lib/security/pam_unix.so shadow nodelay nullok	2	auth required /lib/security/pam_unix.so shadow nodelay
3	auth required /lib/security/pam_nologin.so	3	auth required /lib/security/pam_nologin.so
4	account required /lib/security/pam_unix.so	4	account required /lib/security/pam_unix.so
5	password required /lib/security/pam_cracklib.so	5	password required /lib/security/pam_cracklib.so