Date: Wed, 31 May 2023 13:48:13 +0100 From: David Chisnall <theraven@FreeBSD.org> To: freebsd-current@freebsd.org Subject: Re: Surprise null root password Message-ID: <00390842-c06f-8396-d199-d854b24dc616@FreeBSD.org> In-Reply-To: <86sfbdk52w.fsf@ltc.des.no> References: <ZHDt21wFlpJfQKEs@www.zefox.net> <ZHFqzf9A90L9NfJb@www.zefox.net> <E29BDD31-BB38-41F8-B1F9-422CBEC7143D@karels.net> <850FF076-A511-4802-8D7C-2029752C3345@FreeBSD.org> <86sfbdk52w.fsf@ltc.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 30/05/2023 20:11, Dag-Erling Smørgrav wrote: > David Chisnall<theraven@FreeBSD.org> writes: >> There was a very nasty POLA violation a release or two ago. OpenSSH >> defaults to disallowing empty passwords and so having a null password >> was a convenient way of allowing people to su or locally log into that >> user but disallowing ssh. This option does not work in recent >> versions of FreeBSD. Turning on the option to permit root login while >> keeping the root password blank used to be (mostly) safe because it >> permitted su to root from people in the wheel group, root login via >> SSH key remotely (for ‘everything is broken I can’t log in as a user >> whose home directory is not on the root filesystem’ recovery) and >> local login as root from consoles marked as secure. It now permits >> root login from the network with a blank password. > That is incorrect. PermitRootLogin defaults to “no†in FreeBSD and to > “prohibit-password†upstream (and presumably in the port), while > PermitEmptyPasswords defaults to “no†both in FreeBSD and upstream, > cf. crypto/openssh/servconf.c (search for “permit_root†and > “permit_emptyâ€). I didn't say it defaulted to anything else, but if you enable PermitRootLogin then you have a nasty surprise because PermitEmptyPasswords=no does not do anything and you can still log in via an empty password. There is presumably something I can put in pam.d that will prevent password-based login (without fully disabling keyboard-interactive from sshd_config) but I have never successfully understood anything after reading the PAM documentation. David
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00390842-c06f-8396-d199-d854b24dc616>