From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Koen Kooi <koen@dominion.thruhere.net>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well
Date: Mon, 14 Oct 2013 09:25:26 +0100 [thread overview]
Message-ID: <1381739126.29912.239.camel@ted> (raw)
In-Reply-To: <284EA7A5-1C83-4B85-AC71-27CD9707EC5C@dominion.thruhere.net>
On Sun, 2013-10-13 at 17:30 +0200, Koen Kooi wrote:
> Op 13 okt. 2013, om 15:39 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:
>
> > On Sun, 2013-10-13 at 12:01 +0200, Koen Kooi wrote:
> >> Op 12 okt. 2013, om 10:37 heeft Richard Purdie <richard.purdie@linuxfoundation.org> het volgende geschreven:
> >>
> >>> On Fri, 2013-10-11 at 15:37 +0200, Koen Kooi wrote:
> >>>> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
> >>>> ---
> >>>> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
> >>>> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>>>
> >>>> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>> index 4f9b626..175e8f3 100644
> >>>> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >>>> @@ -59,7 +59,7 @@ Protocol 2
> >>>>
> >>>> # To disable tunneled clear text passwords, change to no here!
> >>>> #PasswordAuthentication yes
> >>>> -#PermitEmptyPasswords no
> >>>> +PermitEmptyPasswords yes
> >>>>
> >>>> # Change to no to disable s/key passwords
> >>>> #ChallengeResponseAuthentication yes
> >>>
> >>> I'm struggling to connect the "if PAM allows it as well" part of the
> >>> shortlog to this change? How is this conditional on PAM?
> >>
> >> If PAM disallows empty passwords this option doesn't do anything. The
> >> PAM rules run before the openssh config options get applied.
> >
> > What if PAM isn't being used?
>
> I haven't tested that, but I suspect it will only allow empty passwords if you set it to 'yes'.
Let me put this a different way. I think this commit allows empty
passwords for users both using PAM and those who are not. I think the
commit message needs to clearly say that as its a fairly serious
security change for both cases.
I'm not actually sure this makes sense as a default and it may be better
off being configurable, defaulting to off...
Cheers,
Richard
next prev parent reply other threads:[~2013-10-14 8:25 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-11 13:37 [PATCH 1/2] openssh: package sshd PAM config inside openssh-sshd package Koen Kooi
2013-10-11 13:37 ` [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well Koen Kooi
2013-10-12 8:37 ` Richard Purdie
2013-10-13 10:01 ` Koen Kooi
2013-10-13 13:39 ` Richard Purdie
2013-10-13 15:30 ` Koen Kooi
2013-10-14 8:25 ` Richard Purdie [this message]
2013-10-14 8:51 ` Koen Kooi
2013-10-14 9:32 ` Richard Purdie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1381739126.29912.239.camel@ted \
--to=richard.purdie@linuxfoundation.org \
--cc=koen@dominion.thruhere.net \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox