From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dan.rpsys.net (dan.rpsys.net [93.97.175.187]) by mail.openembedded.org (Postfix) with ESMTP id AADFC60FAA for ; Mon, 14 Oct 2013 08:25:41 +0000 (UTC) Received: from localhost (dan.rpsys.net [127.0.0.1]) by dan.rpsys.net (8.14.4/8.14.4/Debian-2.1ubuntu1) with ESMTP id r9E8Ox87021216; Mon, 14 Oct 2013 09:25:36 +0100 X-Virus-Scanned: Debian amavisd-new at dan.rpsys.net Received: from dan.rpsys.net ([127.0.0.1]) by localhost (dan.rpsys.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 4LhOX4z1w9nl; Mon, 14 Oct 2013 09:25:36 +0100 (BST) Received: from [192.168.3.10] (rpvlan0 [192.168.3.10]) (authenticated bits=0) by dan.rpsys.net (8.14.4/8.14.4/Debian-2.1ubuntu1) with ESMTP id r9E8PTat021243 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Mon, 14 Oct 2013 09:25:31 +0100 Message-ID: <1381739126.29912.239.camel@ted> From: Richard Purdie To: Koen Kooi Date: Mon, 14 Oct 2013 09:25:26 +0100 In-Reply-To: <284EA7A5-1C83-4B85-AC71-27CD9707EC5C@dominion.thruhere.net> References: <1381498665-21514-1-git-send-email-koen@dominion.thruhere.net> <1381498665-21514-2-git-send-email-koen@dominion.thruhere.net> <1381567052.29912.206.camel@ted> <8C777AF9-B935-4043-AC97-106EBA7BC89E@dominion.thruhere.net> <1381671560.29912.221.camel@ted> <284EA7A5-1C83-4B85-AC71-27CD9707EC5C@dominion.thruhere.net> X-Mailer: Evolution 3.6.4-0ubuntu1 Mime-Version: 1.0 Cc: openembedded-core@lists.openembedded.org Subject: Re: [PATCH 2/2] openssh: allow empty passwords if PAM allows it as well X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Oct 2013 08:25:43 -0000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit On Sun, 2013-10-13 at 17:30 +0200, Koen Kooi wrote: > Op 13 okt. 2013, om 15:39 heeft Richard Purdie het volgende geschreven: > > > On Sun, 2013-10-13 at 12:01 +0200, Koen Kooi wrote: > >> Op 12 okt. 2013, om 10:37 heeft Richard Purdie het volgende geschreven: > >> > >>> On Fri, 2013-10-11 at 15:37 +0200, Koen Kooi wrote: > >>>> Signed-off-by: Koen Kooi > >>>> --- > >>>> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +- > >>>> 1 file changed, 1 insertion(+), 1 deletion(-) > >>>> > >>>> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config > >>>> index 4f9b626..175e8f3 100644 > >>>> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config > >>>> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config > >>>> @@ -59,7 +59,7 @@ Protocol 2 > >>>> > >>>> # To disable tunneled clear text passwords, change to no here! > >>>> #PasswordAuthentication yes > >>>> -#PermitEmptyPasswords no > >>>> +PermitEmptyPasswords yes > >>>> > >>>> # Change to no to disable s/key passwords > >>>> #ChallengeResponseAuthentication yes > >>> > >>> I'm struggling to connect the "if PAM allows it as well" part of the > >>> shortlog to this change? How is this conditional on PAM? > >> > >> If PAM disallows empty passwords this option doesn't do anything. The > >> PAM rules run before the openssh config options get applied. > > > > What if PAM isn't being used? > > I haven't tested that, but I suspect it will only allow empty passwords if you set it to 'yes'. Let me put this a different way. I think this commit allows empty passwords for users both using PAM and those who are not. I think the commit message needs to clearly say that as its a fairly serious security change for both cases. I'm not actually sure this makes sense as a default and it may be better off being configurable, defaulting to off... Cheers, Richard