Subject: Re: PAM vs empty password & rsh
To: Chuck Silvers <chuq@chuq.com>
From: Christos Zoulas <christos@zoulas.com>
List: tech-userlevel
Date: 05/10/2005 13:37:57
On May 10,  9:05am, chuq@chuq.com (Chuck Silvers) wrote:
-- Subject: Re: PAM vs empty password & rsh

| On Tue, May 10, 2005 at 11:05:52AM -0400, Christos Zoulas wrote:
| > In article <20050510135707.GA24027@spathi.chuq.com>,
| > Chuck Silvers  <chuq@chuq.com> wrote:
| > >in the pre-PAM world, if a user had no password then rshd would allow
| > >any user from any host to execute commands as that user, but the PAMified
| > >rshd doesn't allow this.  what's the best way to get the old behaviour back?
| > 
| > in /etc/pam.d/rsh change the pam_rhosts authentication from required to
| > sufficient.
| 
| that allows anyone in, even if the account has a password.
| I was thinking it would be something more along the lines of
| the "nullok" option that pam_unix has.

So add a line enforcing a password:

# auth
auth	required	pam_nologin.so	no_warn
auth	sufficient	pam_rhosts.so	no_warn allow_root
auth	required	pam_unix.so	no_warn try_first_pass nullok

christos