From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Koen Kooi <koen@dominion.thruhere.net>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well
Date: Mon, 14 Oct 2013 09:25:26 +0100 [thread overview]
Message-ID: <1381739126.29912.239.camel@ted> (raw)
In-Reply-To: <284EA7A5-1C83-4B85-AC71-27CD9707EC5C@dominion.thruhere.net>
On Sun, 2013-10-13 at 17:30 +0200, Koen Kooi wrote:
> Op 13 okt. 2013, om 15:39 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:
>
> > On Sun, 2013-10-13 at 12:01 +0200, Koen Kooi wrote:
> >> Op 12 okt. 2013, om 10:37 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:
> >>
> >>> On Fri, 2013-10-11 at 15:37 +0200, Koen Kooi wrote:
> >>>> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
> >>>> ---
> >>>> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
> >>>> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>>>
> >>>> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>> index 4f9b626..175e8f3 100644
> >>>> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>> @@ -59,7 +59,7 @@ Protocol 2
> >>>>
> >>>> # To disable tunneled clear text passwords, change to no here!
> >>>> #PasswordAuthentication yes
> >>>> -#PermitEmptyPasswords no
> >>>> +PermitEmptyPasswords yes
> >>>>
> >>>> # Change to no to disable s/key passwords
> >>>> #ChallengeResponseAuthentication yes
> >>>
> >>> I'm struggling to connect the "if PAM allows it as well" part of the
> >>> shortlog to this change? How is this conditional on PAM?
> >>
> >> If PAM disallows empty passwords this option doesn't do anything. The
> >> PAM rules run before the openssh config options get applied.
> >
> > What if PAM isn't being used?
>
> I haven't tested that, but I suspect it will only allow empty passwords if you set it to 'yes'.
Let me put this a different way. I think this commit allows empty
passwords for users both using PAM and those who are not. I think the
commit message needs to clearly say that as its a fairly serious
security change for both cases.
I'm not actually sure this makes sense as a default and it may be better
off being configurable, defaulting to off...
Cheers,
Richard
next prev parent reply other threads:[~2013-10-14 8:25 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-11 13:37 [PATCH 1/2] openssh: package sshd PAM config inside openssh-sshd package Koen Kooi
2013-10-11 13:37 ` [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well Koen Kooi
2013-10-12 8:37 ` Richard Purdie
2013-10-13 10:01 ` Koen Kooi
2013-10-13 13:39 ` Richard Purdie
2013-10-13 15:30 ` Koen Kooi
2013-10-14 8:25 ` Richard Purdie [this message]
2013-10-14 8:51 ` Koen Kooi
2013-10-14 9:32 ` Richard Purdie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1381739126.29912.239.camel@ted \
--to=richard.purdie@linuxfoundation.org \
--cc=koen@dominion.thruhere.net \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.