- PAM bugfix. PermitEmptyPassword was being ignored.

- Fixed PAM config files to allow empty passwords if server does. - Explained spurious PAM auth warning workaround in UPGRADING
1999-12-27 10:45:54 +11:00 · 1999-12-27 10:45:54 +11:00 · 373d2917a8
parent 5a3e68382d
commit 373d2917a8
6 changed files with 13 additions and 6 deletions
--- a/3
+++ b/3
@ -4,6 +4,9 @@
 - Removed credits from README to CREDITS file, updated.
 - Added --with-default-path to specify custom path for server
 - Removed #ifdef trickery from acconfig.h into defines.h
+ - PAM bugfix. PermitEmptyPassword was being ignored.
+ - Fixed PAM config files to allow empty passwords if server does.
+ - Explained spurious PAM auth warning workaround in UPGRADING

 19991226
 - Enabled utmpx support by default for Solaris
--- a/4
+++ b/4
@ -4,9 +4,7 @@

 - Better documentation

- Port to other platforms (Finish Solaris support)
-
- Fix paths in manpages using autoconf
+- Port to other platforms

 - Better testing on non-PAM systems

--- a/3
+++ b/3
@ -53,3 +53,6 @@ These are generated because OpenSSH first tries to determine whether a
 user needs authentication to login (e.g. empty password). Unfortunatly
 PAM likes to log all authentication events, this one included.

+If it annoys you too much, set "PermitEmptyPasswords no" in 
+sshd_config. This will quiet the error message at the expense of
+disabling logins to accounts with no password set.
--- a/packages/redhat/sshd.pam
+++ b/packages/redhat/sshd.pam
@ -1,5 +1,5 @@
 #%PAM-1.0
-auth       required     /lib/security/pam_pwdb.so shadow nodelay
+auth       required     /lib/security/pam_pwdb.so shadow nodelay nullok
 auth       required     /lib/security/pam_nologin.so
 account    required     /lib/security/pam_pwdb.so
 password   required     /lib/security/pam_cracklib.so
--- a/sshd.c
+++ b/sshd.c
@ -11,7 +11,7 @@
 */

 #include "includes.h"
-RCSID("$Id: sshd.c,v 1.43 1999/12/26 03:04:33 damien Exp $");
+RCSID("$Id: sshd.c,v 1.44 1999/12/26 23:45:54 damien Exp $");

 #ifdef HAVE_POLL_H
 # include <poll.h>
@ -242,6 +242,9 @@ int do_pam_auth(const char *user, const char *password)
 {
 	int pam_retval;
 	
+	if ((options.permit_empty_passwd == 0) && (password[0] == '\0')
+		return 0;
+
 	pampasswd = password;
 	
 	pam_retval = pam_authenticate((pam_handle_t *)pamh, 0);
--- a/sshd.pam.generic
+++ b/sshd.pam.generic
@ -1,5 +1,5 @@
 #%PAM-1.0
-auth       required     /lib/security/pam_unix.so shadow nodelay
+auth       required     /lib/security/pam_unix.so shadow nodelay nullok
 auth       required     /lib/security/pam_nologin.so
 account    required     /lib/security/pam_unix.so
 password   required     /lib/security/pam_cracklib.so