Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 31 May 2023 13:48:13 +0100
From:      David Chisnall <theraven@FreeBSD.org>
To:        freebsd-current@freebsd.org
Subject:   Re: Surprise null root password
Message-ID:  <00390842-c06f-8396-d199-d854b24dc616@FreeBSD.org>
In-Reply-To: <86sfbdk52w.fsf@ltc.des.no>
References:  <ZHDt21wFlpJfQKEs@www.zefox.net> <ZHFqzf9A90L9NfJb@www.zefox.net> <E29BDD31-BB38-41F8-B1F9-422CBEC7143D@karels.net> <850FF076-A511-4802-8D7C-2029752C3345@FreeBSD.org> <86sfbdk52w.fsf@ltc.des.no>

next in thread | previous in thread | raw e-mail | index | archive | help
On 30/05/2023 20:11, Dag-Erling Smørgrav wrote:
> David Chisnall<theraven@FreeBSD.org>  writes:
>> There was a very nasty POLA violation a release or two ago.  OpenSSH
>> defaults to disallowing empty passwords and so having a null password
>> was a convenient way of allowing people to su or locally log into that
>> user but disallowing ssh.  This option does not work in recent
>> versions of FreeBSD.  Turning on the option to permit root login while
>> keeping the root password blank used to be (mostly) safe because it
>> permitted su to root from people in the wheel group, root login via
>> SSH key remotely (for ‘everything is broken I can’t log in as a user
>> whose home directory is not on the root filesystem’ recovery) and
>> local login as root from consoles marked as secure.  It now permits
>> root login from the network with a blank password.
> That is incorrect.  PermitRootLogin defaults to “no” in FreeBSD and to
> “prohibit-password” upstream (and presumably in the port), while
> PermitEmptyPasswords defaults to “no” both in FreeBSD and upstream,
> cf. crypto/openssh/servconf.c (search for “permit_root” and
> “permit_empty”).

I didn't say it defaulted to anything else, but if you enable 
PermitRootLogin then you have a nasty surprise because 
PermitEmptyPasswords=no does not do anything and you can still log in 
via an empty password.

There is presumably something I can put in pam.d that will prevent 
password-based login (without fully disabling keyboard-interactive from 
sshd_config) but I have never successfully understood anything after 
reading the PAM documentation.

David



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00390842-c06f-8396-d199-d854b24dc616>