diff options
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | UPGRADING | 21 | ||||
| -rw-r--r-- | packages/redhat/sshd.pam | 2 | ||||
| -rw-r--r-- | sshd.pam.generic | 2 |
4 files changed, 26 insertions, 2 deletions
| @@ -2,6 +2,9 @@ | |||
| 2 | - Add explicit make rules for files proccessed by fixpaths. | 2 | - Add explicit make rules for files proccessed by fixpaths. |
| 3 | - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori | 3 | - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori |
| 4 | <tnh@kondara.org> | 4 | <tnh@kondara.org> |
| 5 | - Removed "nullok" directive from default PAM configuration files. | ||
| 6 | Added information on enabling EmptyPasswords on openssh+PAM in | ||
| 7 | UPGRADING file. | ||
| 5 | 8 | ||
| 6 | 20000102 | 9 | 20000102 |
| 7 | - Prevent multiple inclusion of config.h and defines.h. Suggested | 10 | - Prevent multiple inclusion of config.h and defines.h. Suggested |
| @@ -57,3 +57,24 @@ If it annoys you too much, set "PermitEmptyPasswords no" in | |||
| 57 | sshd_config. This will quiet the error message at the expense of | 57 | sshd_config. This will quiet the error message at the expense of |
| 58 | disabling logins to accounts with no password set. This is the | 58 | disabling logins to accounts with no password set. This is the |
| 59 | default if you use the supplied sshd_config file. | 59 | default if you use the supplied sshd_config file. |
| 60 | |||
| 61 | 6. Empty passwords not allowed with PAM authentication | ||
| 62 | |||
| 63 | To enable empty passwords with a version of OpenSSH built with PAM you | ||
| 64 | must add the flag "nullok" to the end of the password checking module | ||
| 65 | in the /etc/pam.d/sshd file. For example: | ||
| 66 | |||
| 67 | auth required/lib/security/pam_unix.so shadow nodelay nullok | ||
| 68 | |||
| 69 | This must be done in addtion to setting "PermitEmptyPasswords yes" | ||
| 70 | in the sshd_config file. | ||
| 71 | |||
| 72 | There is one caveat when using empty passwords with PAM | ||
| 73 | authentication: PAM will allow _any_ password when authenticating | ||
| 74 | an account with an empty password. This breaks the check that sshd | ||
| 75 | uses to determined whether an account has no password set and grant | ||
| 76 | users access to the account regardless of the policy specified by | ||
| 77 | "PermitEmptyPasswords". For this reason, it is recommended that you do | ||
| 78 | not add the "nullok" directive to your PAM configuration file unless | ||
| 79 | you specifically wish to allow empty passwords. | ||
| 80 | |||
diff --git a/packages/redhat/sshd.pam b/packages/redhat/sshd.pam index 9ec42469e..26dcb34d9 100644 --- a/packages/redhat/sshd.pam +++ b/packages/redhat/sshd.pam | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | #%PAM-1.0 | 1 | #%PAM-1.0 |
| 2 | auth required /lib/security/pam_pwdb.so shadow nodelay nullok | 2 | auth required /lib/security/pam_pwdb.so shadow nodelay |
| 3 | auth required /lib/security/pam_nologin.so | 3 | auth required /lib/security/pam_nologin.so |
| 4 | account required /lib/security/pam_pwdb.so | 4 | account required /lib/security/pam_pwdb.so |
| 5 | password required /lib/security/pam_cracklib.so | 5 | password required /lib/security/pam_cracklib.so |
diff --git a/sshd.pam.generic b/sshd.pam.generic index 11e620dea..cf5af3024 100644 --- a/sshd.pam.generic +++ b/sshd.pam.generic | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | #%PAM-1.0 | 1 | #%PAM-1.0 |
| 2 | auth required /lib/security/pam_unix.so shadow nodelay nullok | 2 | auth required /lib/security/pam_unix.so shadow nodelay |
| 3 | auth required /lib/security/pam_nologin.so | 3 | auth required /lib/security/pam_nologin.so |
| 4 | account required /lib/security/pam_unix.so | 4 | account required /lib/security/pam_unix.so |
| 5 | password required /lib/security/pam_cracklib.so | 5 | password required /lib/security/pam_cracklib.so |