tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- Removed "nullok" directive from default PAM configuration files. 

Added information on enabling EmptyPasswords on openssh+PAM in
   UPGRADING file.
This commit is contained in:
Damien Miller 2000-01-03 20:00:52 +11:00
parent 645c598d3c
commit e9c8f4dfdc
4 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -2,6 +2,9 @@
- Add explicit make rules for files proccessed by fixpaths. - Add explicit make rules for files proccessed by fixpaths.
- Fix "make install" in RPM spec files. Report from Tenkou N. Hattori - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori
<tnh@kondara.org> <tnh@kondara.org>
- Removed "nullok" directive from default PAM configuration files.
Added information on enabling EmptyPasswords on openssh+PAM in
UPGRADING file.
20000102 20000102
- Prevent multiple inclusion of config.h and defines.h. Suggested - Prevent multiple inclusion of config.h and defines.h. Suggested

21
UPGRADING
View File

@ -57,3 +57,24 @@ If it annoys you too much, set "PermitEmptyPasswords no" in
sshd_config. This will quiet the error message at the expense of sshd_config. This will quiet the error message at the expense of
disabling logins to accounts with no password set. This is the disabling logins to accounts with no password set. This is the
default if you use the supplied sshd_config file. default if you use the supplied sshd_config file.
6. Empty passwords not allowed with PAM authentication
To enable empty passwords with a version of OpenSSH built with PAM you
must add the flag "nullok" to the end of the password checking module
in the /etc/pam.d/sshd file. For example:
auth required/lib/security/pam_unix.so shadow nodelay nullok
This must be done in addtion to setting "PermitEmptyPasswords yes"
in the sshd_config file.
There is one caveat when using empty passwords with PAM
authentication: PAM will allow _any_ password when authenticating
an account with an empty password. This breaks the check that sshd
uses to determined whether an account has no password set and grant
users access to the account regardless of the policy specified by
"PermitEmptyPasswords". For this reason, it is recommended that you do
not add the "nullok" directive to your PAM configuration file unless
you specifically wish to allow empty passwords.

2
packages/redhat/sshd.pam
View File

@ -1,5 +1,5 @@
#%PAM-1.0 #%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nodelay nullok auth required /lib/security/pam_pwdb.so shadow nodelay
auth required /lib/security/pam_nologin.so auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so password required /lib/security/pam_cracklib.so

2
sshd.pam.generic
View File

@ -1,5 +1,5 @@
#%PAM-1.0 #%PAM-1.0
auth required /lib/security/pam_unix.so shadow nodelay nullok auth required /lib/security/pam_unix.so shadow nodelay
auth required /lib/security/pam_nologin.so auth required /lib/security/pam_nologin.so
account required /lib/security/pam_unix.so account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so password required /lib/security/pam_cracklib.so