On Thu Jul 18, 2002 at 11:10:33AM +0300, MaxiM Basunov wrote: > Please advise this bug: > http://bugzilla.mindrot.org/show_bug.cgi?id=235 > > set "PermitEmptyPasswords no" in sshd_config > useradd test > vi shadow for setting EMPTY password > ssh test@localhost > after prompt "test@localhost's password:", enter any non empty password. > > Authorization succeeds and "remote" user gain access to system. > It also valid if user is root.
Hmmm... in other words, don't give users empty passwords. While it might be a bug that can be exploited easily, you'd have to pretty stupid to go and do this in the first place (I can't think of a single instance where someone would want to give a user an empty password). Besides, the only way someone can exploit this is if a) the admin is an idiot or b) they have root to begin with in order to create this empty-user password. I wouldn't consider this a critical thing at all (unless you're an idiot, in which case if an update became available you probably wouldn't update anyways). -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
msg68263/pgp00000.pgp
Description: PGP signature
