- Removed "nullok" directive from default PAM configuration files.

Added information on enabling EmptyPasswords on openssh+PAM in UPGRADING file.
2000-01-03 20:00:52 +11:00 · 2000-01-03 20:00:52 +11:00 · e9c8f4dfdc
parent 645c598d3c
commit e9c8f4dfdc
4 changed files with 26 additions and 2 deletions
--- a/3
+++ b/3
@ -2,6 +2,9 @@
 - Add explicit make rules for files proccessed by fixpaths.
 - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori  
   <tnh@kondara.org>
+ - Removed "nullok" directive from default PAM configuration files. 
+   Added information on enabling EmptyPasswords on openssh+PAM in 
+   UPGRADING file.

 20000102
 - Prevent multiple inclusion of config.h and defines.h. Suggested
--- a/21
+++ b/21
@ -57,3 +57,24 @@ If it annoys you too much, set "PermitEmptyPasswords no" in
 sshd_config. This will quiet the error message at the expense of
 disabling logins to accounts with no password set. This is the 
 default if you use the supplied sshd_config file.
+
+6. Empty passwords not allowed with PAM authentication
+
+To enable empty passwords with a version of OpenSSH built with PAM you
+must add the flag "nullok" to the end of the password checking module
+in the /etc/pam.d/sshd file. For example:
+
+auth required/lib/security/pam_unix.so shadow nodelay nullok
+
+This must be done in addtion to setting "PermitEmptyPasswords yes"
+in the sshd_config file.
+
+There is one caveat when using empty passwords with PAM
+authentication: PAM will allow _any_ password when authenticating
+an account with an empty password. This breaks the check that sshd
+uses to determined whether an account has no password set and grant
+users access to the account regardless of the policy specified by
+"PermitEmptyPasswords". For this reason, it is recommended that you do
+not add the "nullok" directive to your PAM configuration file unless
+you specifically wish to allow empty passwords.
+
--- a/packages/redhat/sshd.pam
+++ b/packages/redhat/sshd.pam
@ -1,5 +1,5 @@
 #%PAM-1.0
-auth       required     /lib/security/pam_pwdb.so shadow nodelay nullok
+auth       required     /lib/security/pam_pwdb.so shadow nodelay
 auth       required     /lib/security/pam_nologin.so
 account    required     /lib/security/pam_pwdb.so
 password   required     /lib/security/pam_cracklib.so
--- a/sshd.pam.generic
+++ b/sshd.pam.generic
@ -1,5 +1,5 @@
 #%PAM-1.0
-auth       required     /lib/security/pam_unix.so shadow nodelay nullok
+auth       required     /lib/security/pam_unix.so shadow nodelay
 auth       required     /lib/security/pam_nologin.so
 account    required     /lib/security/pam_unix.so
 password   required     /lib/security/pam_cracklib.so