On Thu, 2002-07-18 at 03:10, MaxiM Basunov wrote: > Hello, cooker. > > Please advise this bug: > http://bugzilla.mindrot.org/show_bug.cgi?id=235 > > set "PermitEmptyPasswords no" in sshd_config > useradd test > vi shadow for setting EMPTY password > ssh test@localhost > after prompt "test@localhost's password:", enter any non empty password. > > Authorization succeeds and "remote" user gain access to system. > It also valid if user is root.
Since you have to be root in the first place to modify sshd_config, to useradd, to vi shadow, then you're already root, and why would it be necessary to deliberately then make a remote hole? The only use I could see is a scripted trojan or worm. -- Brad Felmey
