Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 27 May 2023 10:39:12 +0100
From:      David Chisnall <theraven@FreeBSD.org>
To:        Mike Karels <mike@karels.net>
Cc:        bob prohaska <fbsd@www.zefox.net>, freebsd-current@freebsd.org
Subject:   Re: Surprise null root password
Message-ID:  <850FF076-A511-4802-8D7C-2029752C3345@FreeBSD.org>
In-Reply-To: <E29BDD31-BB38-41F8-B1F9-422CBEC7143D@karels.net>
References:  <ZHDt21wFlpJfQKEs@www.zefox.net> <ZHFqzf9A90L9NfJb@www.zefox.net> <E29BDD31-BB38-41F8-B1F9-422CBEC7143D@karels.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 27 May 2023, at 03:52, Mike Karels <mike@karels.net> wrote:
>=20
> On 26 May 2023, at 21:28, bob prohaska wrote:
>=20
>> It turns out all seven hosts in my cluster report
>> a null password for root in /usr/src/etc/master.passwd:
>> root::0:0::0:0:Charlie &:/root:/bin/sh
>>=20
>> Is that intentional?
>=20
> Well, it has been that way in FreeBSD since 1993, and in BSD since
> 1980 (4.0BSD).  I guess you would say that it is intentional.  The
> alternative would be to have a well-known password like root, but
> then it wouldn=E2=80=99t be as obvious that a local password had not =
been
> set.

There was a very nasty POLA violation a release or two ago.  OpenSSH =
defaults to disallowing empty passwords and so having a null password =
was a convenient way of allowing people to su or locally log into that =
user but disallowing ssh.  This option does not work in recent versions =
of FreeBSD.  Turning on the option to permit root login while keeping =
the root password blank used to be (mostly) safe because it permitted su =
to root from people in the wheel group, root login via SSH key remotely =
(for =E2=80=98everything is broken I can=E2=80=99t log in as a user =
whose home directory is not on the root filesystem=E2=80=99 recovery) =
and local login as root from consoles marked as secure.  It now permits =
root login from the network with a blank password.

David

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?850FF076-A511-4802-8D7C-2029752C3345>