Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: behavior of passwordless logins has changed

On Mon, Mar 24, 2008 at 12:04:15AM +0100, Tobias Nygren wrote:
> On Sun, 23 Mar 2008 21:19:51 +0000 (UTC)
> (Michael van Elst) wrote:
> > (Tobias Nygren) writes:
> > 
> > >Previously an account with no password set would simply get logged in
> > >without displaying a password prompt. Recently (after the heimdal
> > >update?) it displays a password prompt, and accepts *any* password as
> > >valid, not just the empty string. Also, "PermitEmptyPasswords yes"
> > >doesn't seem to work from sshd_config anymore.
> > 
> > This sounds more like you now are using PAM.
> I have the default pam configuration, and am not using kerberos.
> FWIW, I commented out this line in /etc/pam.d/system and now it works:
> #auth sufficient no_warn try_first_pass
> Maybe something is wrong in my userland, I'll try to clean objdir
> and rebuild ...

The old kerberos had a patch to return ENXIO when it wasn't configured,
in the new kerberos the patch is disabled.

As a result pam_krb5 failed before it called pam_get_authok() which
would query the password.

We either have to reestablish the patch or find another way to make
the PAM module aware of an unconfigured kerberos.

                                Michael van Elst
                                "A potential Snark may lurk in every tree."

Home | Main Index | Thread Index | Old Index