- Removed "nullok" directive from default PAM configuration files.

Added information on enabling EmptyPasswords on openssh+PAM in UPGRADING file.
author: Damien Miller <djm@mindrot.org> 2000-01-03 20:00:52 +1100
committer: Damien Miller <djm@mindrot.org> 2000-01-03 20:00:52 +1100
commit: e9c8f4dfdc0117fb02b9d9a421f07464ccadfcff (patch)
tree: 913ab445f121847b23814d849ce74c23facbda27 /UPGRADING
parent: 645c598d3c6c64f1f20de6fc43d4484033417b4d (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/UPGRADING b/UPGRADING
index 56585de4b..6350fe048 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -57,3 +57,24 @@ If it annoys you too much, set "PermitEmptyPasswords no" in
 sshd_config. This will quiet the error message at the expense of
 disabling logins to accounts with no password set. This is the 
 default if you use the supplied sshd_config file.
+6. Empty passwords not allowed with PAM authentication
+To enable empty passwords with a version of OpenSSH built with PAM you
+must add the flag "nullok" to the end of the password checking module
+in the /etc/pam.d/sshd file. For example:
+auth required/lib/security/pam_unix.so shadow nodelay nullok
+This must be done in addtion to setting "PermitEmptyPasswords yes"
+in the sshd_config file.
+There is one caveat when using empty passwords with PAM
+authentication: PAM will allow _any_ password when authenticating
+an account with an empty password. This breaks the check that sshd
+uses to determined whether an account has no password set and grant
+users access to the account regardless of the policy specified by
+"PermitEmptyPasswords". For this reason, it is recommended that you do
+not add the "nullok" directive to your PAM configuration file unless
+you specifically wish to allow empty passwords.
author	Damien Miller <djm@mindrot.org>	2000-01-03 20:00:52 +1100
committer	Damien Miller <djm@mindrot.org>	2000-01-03 20:00:52 +1100
commit	e9c8f4dfdc0117fb02b9d9a421f07464ccadfcff (patch)
tree	913ab445f121847b23814d849ce74c23facbda27 /UPGRADING
parent	645c598d3c6c64f1f20de6fc43d4484033417b4d (diff)

diff --git a/UPGRADING b/UPGRADING index 56585de4b..6350fe048 100644 --- a/UPGRADING +++ b/UPGRADING
@@ -57,3 +57,24 @@ If it annoys you too much, set "PermitEmptyPasswords no" in
57	sshd_config. This will quiet the error message at the expense of	57	sshd_config. This will quiet the error message at the expense of
58	disabling logins to accounts with no password set. This is the	58	disabling logins to accounts with no password set. This is the
59	default if you use the supplied sshd_config file.	59	default if you use the supplied sshd_config file.
		60
		61	6. Empty passwords not allowed with PAM authentication
		62
		63	To enable empty passwords with a version of OpenSSH built with PAM you
		64	must add the flag "nullok" to the end of the password checking module
		65	in the /etc/pam.d/sshd file. For example:
		66
		67	auth required/lib/security/pam_unix.so shadow nodelay nullok
		68
		69	This must be done in addtion to setting "PermitEmptyPasswords yes"
		70	in the sshd_config file.
		71
		72	There is one caveat when using empty passwords with PAM
		73	authentication: PAM will allow _any_ password when authenticating
		74	an account with an empty password. This breaks the check that sshd
		75	uses to determined whether an account has no password set and grant
		76	users access to the account regardless of the policy specified by
		77	"PermitEmptyPasswords". For this reason, it is recommended that you do
		78	not add the "nullok" directive to your PAM configuration file unless
		79	you specifically wish to allow empty passwords.
		80