Subject: Re: PAM vs empty password & rsh
To: Chuck Silvers <email@example.com>
From: Christos Zoulas <firstname.lastname@example.org>
Date: 05/10/2005 13:37:57
On May 10, 9:05am, email@example.com (Chuck Silvers) wrote:
-- Subject: Re: PAM vs empty password & rsh
| On Tue, May 10, 2005 at 11:05:52AM -0400, Christos Zoulas wrote:
| > In article <20050510135707.GA24027@spathi.chuq.com>,
| > Chuck Silvers <firstname.lastname@example.org> wrote:
| > >in the pre-PAM world, if a user had no password then rshd would allow
| > >any user from any host to execute commands as that user, but the PAMified
| > >rshd doesn't allow this. what's the best way to get the old behaviour back?
| > in /etc/pam.d/rsh change the pam_rhosts authentication from required to
| > sufficient.
| that allows anyone in, even if the account has a password.
| I was thinking it would be something more along the lines of
| the "nullok" option that pam_unix has.
So add a line enforcing a password:
auth required pam_nologin.so no_warn
auth sufficient pam_rhosts.so no_warn allow_root
auth required pam_unix.so no_warn try_first_pass nullok