From nobody Sat May 27 09:39:12 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QSxZY0xY3z4WnBZ for ; Sat, 27 May 2023 09:39:17 +0000 (UTC) (envelope-from theraven@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QSxZY00m2z3kbD; Sat, 27 May 2023 09:39:17 +0000 (UTC) (envelope-from theraven@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1685180357; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4Ffj0IptFwffDhHJH8FA/mCxabiMdLw11KgN8LOb4Ns=; b=i5vY97ZxLBI7eAX9KiQa4mEVlG1b9duEDft64v/QVlpeO6Xm8wAIzJTgmbO+pzZCyMEenL UC5fghm83+gSTYnhNwB9XPmHzQJ86xVjCivCQrd+x6Av6KHT5IewvUjDOTZ4TJ27fqQ5SK ELYQ0nh9TelXHAWa9b/qr+Pa021yumyjePCIzUcCCleeF1R4RBlQagPAyMUm9YhiEeEeJp LDeuA2Hd1SkI9+nx1ej2ip49Lku+tp+nZpV7LDg8QqnK90Q3HlursrNR4qETisq9Yux5oR Ewa3OJHwrWwUgyRJ+qnpNr3sbFemf0cZ2g48blCwjdFm0i6OZb7qE2QrUYXlGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1685180357; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4Ffj0IptFwffDhHJH8FA/mCxabiMdLw11KgN8LOb4Ns=; b=fl8nKN9PJMYw4lFWEbpv2DV4uPZIkdCs6EcKWtyCXk5yF5jNvqCa+P538T72CY649G4LAk RnKly6WzfQfgxQLRNB7P93Sz/OcfrHNhQmynQ+sBitJ9TESIFouIikuWRMgD0QLRJaWpTq EmdPHHNWBWwMLz2UrXPprSNM50xv2ZB3y1adssHNv9ZSXA/MWTmDtXiY5Zf10T7mQhtlS8 Yqoty/RswkC8aZJkr7cJO8anAVJaNqfmmT/GWvOwRTWp2Gbf7kb9Il0qQsh7Whh+lLsNZD 81MN3lNk+XV8mxnj53jQsFp4WJ+C+nJcF1IOgYMqpwf5x+S8AKYwGqK5vJkENw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1685180357; a=rsa-sha256; cv=none; b=uulfllS9vd9q8vbGpsoR9j0RJ8HV78WUEari2XWg89lT2ymg6E1CTsyCqJgK+vTUAa9XCA eSQWWZUDCqriT4AnPHG5Ox+xphHcClM6TdlHAuHvjiWohHUiJ377x0jI2js4UxgV/eGd6e PaTw6qpsmRO09q02qLOOpbKtKwLtPOPBVzZPdTgu+N5Hlspb51GOEAiF69WwAWkLJKPVuu 7x8G+4fxw8KriG/lyF29OSGwgPEzUzSKpmXnMkGWRmz1edAYYJqOJpuXlIIhbiMC0hWkcy 9/pwi6HkEmeT0BankxkCK6IgWAe/v9m0FgQfQUyZm6mipnjo7aqkWgFiFHifRA== Received: from smtp.theravensnest.org (smtp.theravensnest.org [45.77.103.195]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: theraven) by smtp.freebsd.org (Postfix) with ESMTPSA id 4QSxZX5rvgz1Nst; Sat, 27 May 2023 09:39:16 +0000 (UTC) (envelope-from theraven@FreeBSD.org) Received: from smtpclient.apple (host86-136-198-116.range86-136.btcentralplus.com [86.136.198.116]) by smtp.theravensnest.org (Postfix) with ESMTPSA id AE52311851; Sat, 27 May 2023 10:39:15 +0100 (BST) Content-Type: text/plain; charset=utf-8 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: Surprise null root password From: David Chisnall In-Reply-To: Date: Sat, 27 May 2023 10:39:12 +0100 Cc: bob prohaska , freebsd-current@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <850FF076-A511-4802-8D7C-2029752C3345@FreeBSD.org> References: To: Mike Karels X-Mailer: Apple Mail (2.3654.120.0.1.13) X-ThisMailContainsUnwantedMimeParts: N On 27 May 2023, at 03:52, Mike Karels wrote: >=20 > On 26 May 2023, at 21:28, bob prohaska wrote: >=20 >> It turns out all seven hosts in my cluster report >> a null password for root in /usr/src/etc/master.passwd: >> root::0:0::0:0:Charlie &:/root:/bin/sh >>=20 >> Is that intentional? >=20 > Well, it has been that way in FreeBSD since 1993, and in BSD since > 1980 (4.0BSD). I guess you would say that it is intentional. The > alternative would be to have a well-known password like root, but > then it wouldn=E2=80=99t be as obvious that a local password had not = been > set. There was a very nasty POLA violation a release or two ago. OpenSSH = defaults to disallowing empty passwords and so having a null password = was a convenient way of allowing people to su or locally log into that = user but disallowing ssh. This option does not work in recent versions = of FreeBSD. Turning on the option to permit root login while keeping = the root password blank used to be (mostly) safe because it permitted su = to root from people in the wheel group, root login via SSH key remotely = (for =E2=80=98everything is broken I can=E2=80=99t log in as a user = whose home directory is not on the root filesystem=E2=80=99 recovery) = and local login as root from consoles marked as secure. It now permits = root login from the network with a blank password. David