* [PATCHv2] openssh: allow login with empty password
@ 2013-10-14 10:09 Koen Kooi
2013-10-14 10:37 ` Paul Eggleton
0 siblings, 1 reply; 5+ messages in thread
From: Koen Kooi @ 2013-10-14 10:09 UTC (permalink / raw)
To: openembedded-core
Currently both PAM and dropbear allow logins with empty passwords, but
openssh doesn't. This commit changes the default in openssh to allow
empty password logins.
This should be changed to be a global config option in the long run.
Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
---
meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
index 4f9b626..175e8f3 100644
--- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
+++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
@@ -59,7 +59,7 @@ Protocol 2
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
-#PermitEmptyPasswords no
+PermitEmptyPasswords yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
--
1.8.3.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCHv2] openssh: allow login with empty password
2013-10-14 10:09 [PATCHv2] openssh: allow login with empty password Koen Kooi
@ 2013-10-14 10:37 ` Paul Eggleton
2013-10-14 11:09 ` Koen Kooi
0 siblings, 1 reply; 5+ messages in thread
From: Paul Eggleton @ 2013-10-14 10:37 UTC (permalink / raw)
To: Koen Kooi; +Cc: openembedded-core
On Monday 14 October 2013 12:09:37 Koen Kooi wrote:
> Currently both PAM and dropbear allow logins with empty passwords, but
> openssh doesn't. This commit changes the default in openssh to allow
> empty password logins.
>
> This should be changed to be a global config option in the long run.
>
> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
> ---
> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config index
> 4f9b626..175e8f3 100644
> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> @@ -59,7 +59,7 @@ Protocol 2
>
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> -#PermitEmptyPasswords no
> +PermitEmptyPasswords yes
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
We do already have logic in image.bbclass to set this based upon debug-tweaks
being in IMAGE_FEATURES; is that not working for you?
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCHv2] openssh: allow login with empty password
2013-10-14 10:37 ` Paul Eggleton
@ 2013-10-14 11:09 ` Koen Kooi
2013-10-14 11:27 ` Paul Eggleton
2013-10-14 13:46 ` Mark Hatle
0 siblings, 2 replies; 5+ messages in thread
From: Koen Kooi @ 2013-10-14 11:09 UTC (permalink / raw)
To: Paul Eggleton; +Cc: openembedded-core
Op 14 okt. 2013, om 12:37 heeft Paul Eggleton <paul.eggleton@linux.intel.com> het volgende geschreven:
> On Monday 14 October 2013 12:09:37 Koen Kooi wrote:
>> Currently both PAM and dropbear allow logins with empty passwords, but
>> openssh doesn't. This commit changes the default in openssh to allow
>> empty password logins.
>>
>> This should be changed to be a global config option in the long run.
>>
>> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
>> ---
>> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>> b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config index
>> 4f9b626..175e8f3 100644
>> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>> @@ -59,7 +59,7 @@ Protocol 2
>>
>> # To disable tunneled clear text passwords, change to no here!
>> #PasswordAuthentication yes
>> -#PermitEmptyPasswords no
>> +PermitEmptyPasswords yes
>>
>> # Change to no to disable s/key passwords
>> #ChallengeResponseAuthentication yes
>
> We do already have logic in image.bbclass to set this based upon debug-tweaks
> being in IMAGE_FEATURES; is that not working for you?
I haven't tried that, but that still doesn't fix the inconsistency issues and presents problems during package upgrades.
regards,
Koen
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCHv2] openssh: allow login with empty password
2013-10-14 11:09 ` Koen Kooi
@ 2013-10-14 11:27 ` Paul Eggleton
2013-10-14 13:46 ` Mark Hatle
1 sibling, 0 replies; 5+ messages in thread
From: Paul Eggleton @ 2013-10-14 11:27 UTC (permalink / raw)
To: Koen Kooi; +Cc: openembedded-core
On Monday 14 October 2013 13:09:55 Koen Kooi wrote:
> Op 14 okt. 2013, om 12:37 heeft Paul Eggleton
> <paul.eggleton@linux.intel.com> het volgende geschreven:
> > On Monday 14 October 2013 12:09:37 Koen Kooi wrote:
> >> Currently both PAM and dropbear allow logins with empty passwords, but
> >> openssh doesn't. This commit changes the default in openssh to allow
> >> empty password logins.
> >>
> >> This should be changed to be a global config option in the long run.
> >>
> >> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
> >> ---
> >> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >> b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config index
> >> 4f9b626..175e8f3 100644
> >> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
> >> @@ -59,7 +59,7 @@ Protocol 2
> >>
> >> # To disable tunneled clear text passwords, change to no here!
> >> #PasswordAuthentication yes
> >> -#PermitEmptyPasswords no
> >> +PermitEmptyPasswords yes
> >>
> >> # Change to no to disable s/key passwords
> >> #ChallengeResponseAuthentication yes
> >
> > We do already have logic in image.bbclass to set this based upon
> > debug-tweaks being in IMAGE_FEATURES; is that not working for you?
>
> I haven't tried that, but that still doesn't fix the inconsistency issues
> and presents problems during package upgrades.
It shouldn't be an issue for package upgrades - ${sysconfdir}/ssh/sshd_config
is included in CONFFILES for openssh-sshd.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCHv2] openssh: allow login with empty password
2013-10-14 11:09 ` Koen Kooi
2013-10-14 11:27 ` Paul Eggleton
@ 2013-10-14 13:46 ` Mark Hatle
1 sibling, 0 replies; 5+ messages in thread
From: Mark Hatle @ 2013-10-14 13:46 UTC (permalink / raw)
To: openembedded-core
On 10/14/13 6:09 AM, Koen Kooi wrote:
>
> Op 14 okt. 2013, om 12:37 heeft Paul Eggleton <paul.eggleton@linux.intel.com> het volgende geschreven:
>
>> On Monday 14 October 2013 12:09:37 Koen Kooi wrote:
>>> Currently both PAM and dropbear allow logins with empty passwords, but
>>> openssh doesn't. This commit changes the default in openssh to allow
>>> empty password logins.
>>>
>>> This should be changed to be a global config option in the long run.
>>>
>>> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
>>> ---
>>> meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>>> b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config index
>>> 4f9b626..175e8f3 100644
>>> --- a/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>>> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p2/sshd_config
>>> @@ -59,7 +59,7 @@ Protocol 2
>>>
>>> # To disable tunneled clear text passwords, change to no here!
>>> #PasswordAuthentication yes
>>> -#PermitEmptyPasswords no
>>> +PermitEmptyPasswords yes
>>>
>>> # Change to no to disable s/key passwords
>>> #ChallengeResponseAuthentication yes
>>
>> We do already have logic in image.bbclass to set this based upon debug-tweaks
>> being in IMAGE_FEATURES; is that not working for you?
>
> I haven't tried that, but that still doesn't fix the inconsistency issues and presents problems during package upgrades.
If the behavior is inconsistent, then the fix should be to PAM, dropbear and the
debug-tweaks. (I'm really wondering if this behavior should be able to be run
w/o the rest of the debug-tweaks.)
But the default, for security purposes, should be no root login.
--Mark
> regards,
>
> Koen
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2013-10-14 13:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-10-14 10:09 [PATCHv2] openssh: allow login with empty password Koen Kooi
2013-10-14 10:37 ` Paul Eggleton
2013-10-14 11:09 ` Koen Kooi
2013-10-14 11:27 ` Paul Eggleton
2013-10-14 13:46 ` Mark Hatle
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox