Date: Tue, 30 May 2023 21:11:03 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org> To: David Chisnall <theraven@FreeBSD.org> Cc: Mike Karels <mike@karels.net>, bob prohaska <fbsd@www.zefox.net>, freebsd-current@freebsd.org Subject: Re: Surprise null root password Message-ID: <86sfbdk52w.fsf@ltc.des.no> In-Reply-To: <850FF076-A511-4802-8D7C-2029752C3345@FreeBSD.org> (David Chisnall's message of "Sat, 27 May 2023 10:39:12 %2B0100") References: <ZHDt21wFlpJfQKEs@www.zefox.net> <ZHFqzf9A90L9NfJb@www.zefox.net> <E29BDD31-BB38-41F8-B1F9-422CBEC7143D@karels.net> <850FF076-A511-4802-8D7C-2029752C3345@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
David Chisnall <theraven@FreeBSD.org> writes: > There was a very nasty POLA violation a release or two ago. OpenSSH > defaults to disallowing empty passwords and so having a null password > was a convenient way of allowing people to su or locally log into that > user but disallowing ssh. This option does not work in recent > versions of FreeBSD. Turning on the option to permit root login while > keeping the root password blank used to be (mostly) safe because it > permitted su to root from people in the wheel group, root login via > SSH key remotely (for =E2=80=98everything is broken I can=E2=80=99t log i= n as a user > whose home directory is not on the root filesystem=E2=80=99 recovery) and > local login as root from consoles marked as secure. It now permits > root login from the network with a blank password. That is incorrect. PermitRootLogin defaults to =E2=80=9Cno=E2=80=9D in Fre= eBSD and to =E2=80=9Cprohibit-password=E2=80=9D upstream (and presumably in the port), = while PermitEmptyPasswords defaults to =E2=80=9Cno=E2=80=9D both in FreeBSD and u= pstream, cf. crypto/openssh/servconf.c (search for =E2=80=9Cpermit_root=E2=80=9D and =E2=80=9Cpermit_empty=E2=80=9D). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86sfbdk52w.fsf>