Re: behavior of passwordless logins has changed

[Michael van Elst <mlelstv%serpens.de@localhost>]

On Mon, Mar 24, 2008 at 12:04:15AM +0100, Tobias Nygren wrote:
> On Sun, 23 Mar 2008 21:19:51 +0000 (UTC)
> mlelstv%serpens.de@localhost (Michael van Elst) wrote:
> 
> > tnn%NetBSD.org@localhost (Tobias Nygren) writes:
> > 
> > >Previously an account with no password set would simply get logged in
> > >without displaying a password prompt. Recently (after the heimdal
> > >update?) it displays a password prompt, and accepts *any* password as
> > >valid, not just the empty string. Also, "PermitEmptyPasswords yes"
> > >doesn't seem to work from sshd_config anymore.
> > 
> > This sounds more like you now are using PAM.
> 
> I have the default pam configuration, and am not using kerberos.
> FWIW, I commented out this line in /etc/pam.d/system and now it works:
> 
> #auth sufficient pam_krb5.so no_warn try_first_pass
> 
> Maybe something is wrong in my userland, I'll try to clean objdir
> and rebuild ...

The old kerberos had a patch to return ENXIO when it wasn't configured,
in the new kerberos the patch is disabled.

As a result pam_krb5 failed before it called pam_get_authok() which
would query the password.

We either have to reestablish the patch or find another way to make
the PAM module aware of an unconfigured kerberos.

Greetings,
-- 
                                Michael van Elst
Internet: mlelstv%serpens.de@localhost
                                "A potential Snark may lurk in every tree."