On Sun, 2013-10-13 at 17:30 +0200, Koen Kooi wrote: > Op 13 okt. 2013, om 15:39 heeft Richard Purdie > <[email protected]> het volgende geschreven: > > > On Sun, 2013-10-13 at 12:01 +0200, Koen Kooi wrote: > >> Op 12 okt. 2013, om 10:37 heeft Richard Purdie > >> <[email protected]> het volgende geschreven: > >> > >>> On Fri, 2013-10-11 at 15:37 +0200, Koen Kooi wrote: > >>>> Signed-off-by: Koen Kooi <[email protected]> > >>>> --- > >>>> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +- > >>>> 1 file changed, 1 insertion(+), 1 deletion(-) > >>>> > >>>> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config > >>>> b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config > >>>> index 4f9b626..175e8f3 100644 > >>>> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config > >>>> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config > >>>> @@ -59,7 +59,7 @@ Protocol 2 > >>>> > >>>> # To disable tunneled clear text passwords, change to no here! > >>>> #PasswordAuthentication yes > >>>> -#PermitEmptyPasswords no > >>>> +PermitEmptyPasswords yes > >>>> > >>>> # Change to no to disable s/key passwords > >>>> #ChallengeResponseAuthentication yes > >>> > >>> I'm struggling to connect the "if PAM allows it as well" part of the > >>> shortlog to this change? How is this conditional on PAM? > >> > >> If PAM disallows empty passwords this option doesn't do anything. The > >> PAM rules run before the openssh config options get applied. > > > > What if PAM isn't being used? > > I haven't tested that, but I suspect it will only allow empty passwords if > you set it to 'yes'.
Let me put this a different way. I think this commit allows empty passwords for users both using PAM and those who are not. I think the commit message needs to clearly say that as its a fairly serious security change for both cases. I'm not actually sure this makes sense as a default and it may be better off being configurable, defaulting to off... Cheers, Richard _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
