On Thu, Jul 20, 2023 at 05:10:14PM +0000, ircu...@gmail.com wrote: > Package: login > Version: 1:4.13+dfsg1-1+b1 > Severity: serious > X-Debbugs-Cc: ircu...@gmail.com > > Dear Maintainer, > > On a newly installed debian bookworm /usr/share/doc/passwd/NEWS.Debian.gz > mentions a new PREVENT_NO_AUTH option that is supposed to prevent login to > passwordless accounts. > > The option is found in /etc/login.defs and has the default value: > PREVENT_NO_AUTH superuser > > I removed root password using `passwd -d root` so that `grep root > /etc/shadow` reads: > root::19519:0:99999:7::: > > I can now login to root on a tty just by typing root as the login name. I can > also login to root just by typing `su` from a regular user account. > "PREVENT_NO_AUTH superuser" has no effect. > > I then changed the option to "PREVENT_NO_AUTH yes", which is supposed to > prevent all passwordless account login. > > I created a new user account `useradd -m -s /bin/bash testuser` and deleted > its password `passwd -d testuser`. If I run `grep testuser /etc/shadow` it > reads: > testuser::19558:0:99999:7::: > > I can now also login to this account on a tty without any password. `su > newuser` also doesn't need any password. I can also still login to the root > account by doing `su`. > > https://sources.debian.org/src/shadow/1:4.13+dfsg1-1/src/su.c/?hl=504#L504 > > and > > https://sources.debian.org/src/shadow/1:4.13+dfsg1-1/src/login.c/?hl=980#L980 > > indicate that this should not be possible. It looks like PREVENT_NO_AUTH > doesn't do anything at all. > > This was replicated on IRC by another user too.
The shadow code enforcing PREVENT_NO_AUTH is in the !ifdef PAM case. -serge