[OE-core] [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well
Richard Purdie
richard.purdie at linuxfoundation.org
Mon Oct 14 08:25:26 UTC 2013
On Sun, 2013-10-13 at 17:30 +0200, Koen Kooi wrote:
> Op 13 okt. 2013, om 15:39 heeft Richard Purdie <richard.purdie at linuxfoundation.org> het volgende geschreven:
>
> > On Sun, 2013-10-13 at 12:01 +0200, Koen Kooi wrote:
> >> Op 12 okt. 2013, om 10:37 heeft Richard Purdie <richard.purdie at linuxfoundation.org> het volgende geschreven:
> >>
> >>> On Fri, 2013-10-11 at 15:37 +0200, Koen Kooi wrote:
> >>>> Signed-off-by: Koen Kooi <koen at dominion.thruhere.net>
> >>>> ---
> >>>> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
> >>>> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>>>
> >>>> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>> index 4f9b626..175e8f3 100644
> >>>> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>> @@ -59,7 +59,7 @@ Protocol 2
> >>>>
> >>>> # To disable tunneled clear text passwords, change to no here!
> >>>> #PasswordAuthentication yes
> >>>> -#PermitEmptyPasswords no
> >>>> +PermitEmptyPasswords yes
> >>>>
> >>>> # Change to no to disable s/key passwords
> >>>> #ChallengeResponseAuthentication yes
> >>>
> >>> I'm struggling to connect the "if PAM allows it as well" part of the
> >>> shortlog to this change? How is this conditional on PAM?
> >>
> >> If PAM disallows empty passwords this option doesn't do anything. The
> >> PAM rules run before the openssh config options get applied.
> >
> > What if PAM isn't being used?
>
> I haven't tested that, but I suspect it will only allow empty passwords if you set it to 'yes'.
Let me put this a different way. I think this commit allows empty
passwords for users both using PAM and those who are not. I think the
commit message needs to clearly say that as its a fairly serious
security change for both cases.
I'm not actually sure this makes sense as a default and it may be better
off being configurable, defaulting to off...
Cheers,
Richard
More information about the Openembedded-core
mailing list