From nobody Wed May 31 12:48:13 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QWTZn4F6Wz4Ydv9 for ; Wed, 31 May 2023 12:48:17 +0000 (UTC) (envelope-from theraven@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QWTZn3hRzz427Z for ; Wed, 31 May 2023 12:48:17 +0000 (UTC) (envelope-from theraven@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1685537297; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rapPkx6lMeghbwTnlO69Ro8p5mujOV5haUouNTy8rpU=; b=cNy4VhlOcAaVONvDmKpqNrR1iR1K3yDOgRQ2E1QuWd2qjN/pf7g/qCJu6zpvVnZ4jPQPwL AqX9Ja9szSPaPR63/m3xWMZI8UJYq2l1bjGF9FeuCoIyhFBMTSQj85IhtW+bLhBJFjO79F 8ngeoUlnpBZtaMiLdIMlbDpgDf7IQvHh4fomTxdPZWwHVfdY5Cwhg5gnosqieCVtyFnLZ2 xrVYOFEVTKrMGzJzqxv94JFHBLqD4rASEe/1vZ7IjxQhORcRHgMadPIBe4iOschuG2zRD6 0OZSIUkKBffEnBwm16KCaxObQsTFcIBMovsdaOIirWnxPYXQZsVgUNEVRxMM5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1685537297; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rapPkx6lMeghbwTnlO69Ro8p5mujOV5haUouNTy8rpU=; b=XplMa9+BSbKy+eBA5xVuPoNRf+lo7rdSh8HPh4q8EA39mLZjMps87rPVBwl1lKfjjD8qA3 AGO6+kQAhor36NwW4eiKkzXIEQNTn3kYAxTbeUkJFyIypjh1bsDZ6TBrENoyKKR65qhl03 KiaR2OwTbtHi6LoA7kyhiFPyTQkM/CM/395qKQdqCwjdzG2lyYiz6QcyBb0hLdLrdCAms7 4eBrQ04nuyGpQ6kCtvGZhbygMOcG6I+Qgu+rYlzjSEANu+euOfYAnP1i3F3ktFQQdnA5Lw X4zzAkj373Frb22Ybov45GTljWltn7iuoN7On5cLGd2tYGbuIUnG6M1HooGHAQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1685537297; a=rsa-sha256; cv=none; b=GHlwjOz6tPFHrTYJBCin/Wc7c0OJdDd6sArXxIwa3qPqwYubiGT8RWbrFCw0CnjT4KFqYl howW557NyAl55n46TE96B8Tq2apVhQLBXUB/DHdSibMk/BiNuJdgfIMPE0QLsMtwdAGmsJ PEps8vAI13kX4Fdx7YP6Np5Z2Z+1w6Y1ZBp3mnmaXLnDenAhZzu+HyC84P2ezIkOw52hr2 ZzzwpQUvM7QuXojPCM6Kq69y8Pcf7rui8xTyF/TAU4EJXZUAYVshP8S7+A2IpNN9lEnVyM CXPP0mtP3YeR1qWayW6dYhRHJ8aADq3PRvuJoaq5lWCM4+pu1dn758AI8i/MqQ== Received: from smtp.theravensnest.org (smtp.theravensnest.org [45.77.103.195]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: theraven) by smtp.freebsd.org (Postfix) with ESMTPSA id 4QWTZn2h3Kz15WF for ; Wed, 31 May 2023 12:48:17 +0000 (UTC) (envelope-from theraven@FreeBSD.org) Received: from [192.168.1.202] (host86-136-198-116.range86-136.btcentralplus.com [86.136.198.116]) by smtp.theravensnest.org (Postfix) with ESMTPSA id 96A61118CD for ; Wed, 31 May 2023 13:48:15 +0100 (BST) Message-ID: <00390842-c06f-8396-d199-d854b24dc616@FreeBSD.org> Date: Wed, 31 May 2023 13:48:13 +0100 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.11.2 Subject: Re: Surprise null root password To: freebsd-current@freebsd.org References: <850FF076-A511-4802-8D7C-2029752C3345@FreeBSD.org> <86sfbdk52w.fsf@ltc.des.no> Content-Language: en-GB From: David Chisnall In-Reply-To: <86sfbdk52w.fsf@ltc.des.no> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-ThisMailContainsUnwantedMimeParts: N On 30/05/2023 20:11, Dag-Erling Smørgrav wrote: > David Chisnall writes: >> There was a very nasty POLA violation a release or two ago. OpenSSH >> defaults to disallowing empty passwords and so having a null password >> was a convenient way of allowing people to su or locally log into that >> user but disallowing ssh. This option does not work in recent >> versions of FreeBSD. Turning on the option to permit root login while >> keeping the root password blank used to be (mostly) safe because it >> permitted su to root from people in the wheel group, root login via >> SSH key remotely (for ‘everything is broken I can’t log in as a user >> whose home directory is not on the root filesystem’ recovery) and >> local login as root from consoles marked as secure. It now permits >> root login from the network with a blank password. > That is incorrect. PermitRootLogin defaults to “no” in FreeBSD and to > “prohibit-password” upstream (and presumably in the port), while > PermitEmptyPasswords defaults to “no” both in FreeBSD and upstream, > cf. crypto/openssh/servconf.c (search for “permit_root” and > “permit_empty”). I didn't say it defaulted to anything else, but if you enable PermitRootLogin then you have a nasty surprise because PermitEmptyPasswords=no does not do anything and you can still log in via an empty password. There is presumably something I can put in pam.d that will prevent password-based login (without fully disabling keyboard-interactive from sshd_config) but I have never successfully understood anything after reading the PAM documentation. David