From owner-freebsd-questions@FreeBSD.ORG  Tue May  6 20:05:15 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B74691065675
	for <freebsd-questions@freebsd.org>;
	Tue,  6 May 2008 20:05:15 +0000 (UTC)
	(envelope-from infofarmer@FreeBSD.org)
Received: from heka.cenkes.org (heka.cenkes.org [208.79.80.110])
	by mx1.freebsd.org (Postfix) with ESMTP id 879FA8FC23
	for <freebsd-questions@freebsd.org>;
	Tue,  6 May 2008 20:05:15 +0000 (UTC)
	(envelope-from infofarmer@FreeBSD.org)
Received: from amilo.cenkes.org (ppp91-76-106-196.pppoe.mtu-net.ru
	[91.76.106.196]) (Authenticated sender: sat)
	by heka.cenkes.org (Postfix) with ESMTPSA id 504F0242F833;
	Wed,  7 May 2008 00:05:14 +0400 (MSD)
Date: Wed, 7 May 2008 00:05:11 +0400
From: Andrew Pantyukhin <infofarmer@FreeBSD.org>
To: "T." <freebsd-questions@lists.goldenpath.org>
Message-ID: <20080506200510.GU92161@amilo.cenkes.org>
References: <4820A2E3.9030500@lists.goldenpath.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4820A2E3.9030500@lists.goldenpath.org>
X-OS: FreeBSD 8.0-CURRENT amd64
User-Agent: Mutt/1.5.17 (2007-11-01)
Cc: freebsd-questions@freebsd.org
Subject: Re: sshd on FreeBSD default allows blank passwords?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: infofarmer@FreeBSD.org
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2008 20:05:15 -0000

On Tue, May 06, 2008 at 02:26:43PM -0400, T. wrote:
> I didn't realize this before, but it came to my attention when
> debugging PAM problems.  Actually, sshd default does not allow
> it, but another default is in enabling PAM.  It's passing power
> over to PAM which is allowing it.
> 
> I didn't see another way immediately available to fix it, so I
> disabled PAM in sshd. Works as expected now.
> 
> Is there a PAM solution for this?
> 
> Is this intended to be the default behavior?

Now that you mention it, I also was under impression that the
reverse should be default. I'm no pam expert, but I thought
"nullok" was required in /etc/pam.d/sshd next to pam_unix in
order for empty passwords to work. But there's no "nullok" there
by default and empty passwords still work. Disturbing.