diff options
author | Damien Miller <djm@mindrot.org> | 2000-01-03 20:00:52 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-01-03 20:00:52 +1100 |
commit | e9c8f4dfdc0117fb02b9d9a421f07464ccadfcff (patch) | |
tree | 913ab445f121847b23814d849ce74c23facbda27 /UPGRADING | |
parent | 645c598d3c6c64f1f20de6fc43d4484033417b4d (diff) |
- Removed "nullok" directive from default PAM configuration files.
Added information on enabling EmptyPasswords on openssh+PAM in
UPGRADING file.
Diffstat (limited to 'UPGRADING')
-rw-r--r-- | UPGRADING | 21 |
1 files changed, 21 insertions, 0 deletions
@@ -57,3 +57,24 @@ If it annoys you too much, set "PermitEmptyPasswords no" in | |||
57 | sshd_config. This will quiet the error message at the expense of | 57 | sshd_config. This will quiet the error message at the expense of |
58 | disabling logins to accounts with no password set. This is the | 58 | disabling logins to accounts with no password set. This is the |
59 | default if you use the supplied sshd_config file. | 59 | default if you use the supplied sshd_config file. |
60 | |||
61 | 6. Empty passwords not allowed with PAM authentication | ||
62 | |||
63 | To enable empty passwords with a version of OpenSSH built with PAM you | ||
64 | must add the flag "nullok" to the end of the password checking module | ||
65 | in the /etc/pam.d/sshd file. For example: | ||
66 | |||
67 | auth required/lib/security/pam_unix.so shadow nodelay nullok | ||
68 | |||
69 | This must be done in addtion to setting "PermitEmptyPasswords yes" | ||
70 | in the sshd_config file. | ||
71 | |||
72 | There is one caveat when using empty passwords with PAM | ||
73 | authentication: PAM will allow _any_ password when authenticating | ||
74 | an account with an empty password. This breaks the check that sshd | ||
75 | uses to determined whether an account has no password set and grant | ||
76 | users access to the account regardless of the policy specified by | ||
77 | "PermitEmptyPasswords". For this reason, it is recommended that you do | ||
78 | not add the "nullok" directive to your PAM configuration file unless | ||
79 | you specifically wish to allow empty passwords. | ||
80 | |||