From owner-freebsd-questions@FreeBSD.ORG  Wed May  7 05:23:41 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 625041065670
	for <freebsd-questions@freebsd.org>;
	Wed,  7 May 2008 05:23:40 +0000 (UTC)
	(envelope-from freebsd-questions@lists.goldenpath.org)
Received: from randymail-a5.g.dreamhost.com (sd-green-bigip-66.dreamhost.com
	[208.97.132.66])
	by mx1.freebsd.org (Postfix) with ESMTP id 47D248FC0A
	for <freebsd-questions@freebsd.org>;
	Wed,  7 May 2008 05:23:40 +0000 (UTC)
	(envelope-from freebsd-questions@lists.goldenpath.org)
Received: from [127.0.0.1] (shekel.dreamhost.com [208.113.247.228])
	by randymail-a5.g.dreamhost.com (Postfix) with ESMTP id 3FD7F90CC1;
	Tue,  6 May 2008 22:23:39 -0700 (PDT)
Message-ID: <48213CDA.6080305@lists.goldenpath.org>
Date: Wed, 07 May 2008 01:23:38 -0400
From: "T." <freebsd-questions@lists.goldenpath.org>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: infofarmer@FreeBSD.org
References: <4820A2E3.9030500@lists.goldenpath.org>
	<20080506200510.GU92161@amilo.cenkes.org>
In-Reply-To: <20080506200510.GU92161@amilo.cenkes.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: sshd on FreeBSD default allows blank passwords?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2008 05:23:41 -0000

Andrew Pantyukhin wrote:
> On Tue, May 06, 2008 at 02:26:43PM -0400, T. wrote:
>   
>> I didn't realize this before, but it came to my attention when
>> debugging PAM problems.  Actually, sshd default does not allow
>> it, but another default is in enabling PAM.  It's passing power
>> over to PAM which is allowing it.
>>
>> I didn't see another way immediately available to fix it, so I
>> disabled PAM in sshd. Works as expected now.
>>
>> Is there a PAM solution for this?
>>
>> Is this intended to be the default behavior?
>>     
>
> Now that you mention it, I also was under impression that the
> reverse should be default. I'm no pam expert, but I thought
> "nullok" was required in /etc/pam.d/sshd next to pam_unix in
> order for empty passwords to work. But there's no "nullok" there
> by default and empty passwords still work. Disturbing.
>   

Tested on my 5.5 box. Same thing there.
Have been taking this for granted for a long time.
Ooops.