Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Blank Password Always Works
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
evlich
Tux's lil' helper
Tux's lil' helper


Joined: 17 Oct 2007
Posts: 107

PostPosted: Mon May 20, 2013 4:48 am    Post subject: [SOLVED] Blank Password Always Works Reply with quote

For some reason, anytime that I am asked to enter a password (e.g. login in kdm, sudo, etc.) the blank password always works. Can anyone suggest some places where I should start looking to solve this problem? My thought was it has something to do with pam, but I've never messed with any of the pam files.

Thanks.


Last edited by evlich on Mon May 20, 2013 10:16 pm; edited 1 time in total
Back to top
View user's profile Send private message
Christian99
Veteran
Veteran


Joined: 28 May 2009
Posts: 1668

PostPosted: Mon May 20, 2013 8:27 am    Post subject: Reply with quote

sudo itself can be configured to not require a password. but i think there shouldn't be a password prompt at all instead of accepting an empty one.

have you tried changing your password already?
and are wrong passwords are also accepted ?

Also there is a (very theoretical) chance for a hash collision, but that's very unlikely
Back to top
View user's profile Send private message
evlich
Tux's lil' helper
Tux's lil' helper


Joined: 17 Oct 2007
Posts: 107

PostPosted: Mon May 20, 2013 12:20 pm    Post subject: Reply with quote

Thanks for the ideas. I tried setting my password, but that didn't change anything. One thing that I didn't say correctly is that it isn't just that the empty password works, anything works. It is as if the password checker is just the function that ignores the input and returns true.

You mention about hashing made me think that this might have to do with kernel implementations of hash functions. Is that a possibility? I'm not sure what would be wrong with my kernel config, but it would that be possible?
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Mon May 20, 2013 12:30 pm    Post subject: Reply with quote

Do you actually have set passwords for root and for your users?
Check you /etc/shadow file: The entries between the first and second ':' should never be empty but should contain the hash of your password. Invoke "passwd" with the corresponding user if you have not set it (or use a dummy like ! or * if passwords should never succeed). man 5 shadow
Back to top
View user's profile Send private message
evlich
Tux's lil' helper
Tux's lil' helper


Joined: 17 Oct 2007
Posts: 107

PostPosted: Mon May 20, 2013 2:35 pm    Post subject: Reply with quote

None of them are empty. Some have ! or !!, but none are empty.
Back to top
View user's profile Send private message
Christian99
Veteran
Veteran


Joined: 28 May 2009
Posts: 1668

PostPosted: Mon May 20, 2013 4:06 pm    Post subject: Reply with quote

though you said, you didn't change your pam files, let's check them. They are in /etc/pam.d/
for the beginning please post: login sshd system-local-login system-remote-login system-login system-auth
Back to top
View user's profile Send private message
evlich
Tux's lil' helper
Tux's lil' helper


Joined: 17 Oct 2007
Posts: 107

PostPosted: Mon May 20, 2013 8:02 pm    Post subject: Reply with quote

Here they are:

Code:
/etc/pam.d/login
auth       required     pam_securetty.so
auth       include      system-local-login

account    include      system-local-login
password   include      system-local-login
session    include      system-local-login

Code:
/etc/pam.d/sshd
auth       include      system-remote-login
account    include      system-remote-login
password   include      system-remote-login
session    include      system-remote-login

Code:
/etc/pam.d/system-local-login
auth            include         system-login
account         include         system-login
password        include         system-login
session         include         system-login

Code:
/etc/pam.d/system-remote-login
auth            include         system-login
account         include         system-login
password        include         system-login
session         include         system-login

Code:
/etc/pam.d/system-login
auth            required        pam_tally2.so onerr=succeed
auth            required        pam_shells.so
auth            required        pam_nologin.so
auth            include         system-auth
 
account         required        pam_access.so
account         required        pam_nologin.so
account         include         system-auth
account         required        pam_tally2.so onerr=succeed
 
password        include         system-auth
 
session         optional        pam_loginuid.so
session         required        pam_env.so
session         optional        pam_lastlog.so
session         include         system-auth
session         optional        pam_ck_connector.so nox11
session         optional        pam_motd.so motd=/etc/motd
session         optional        pam_mail.so
 

Code:
/etc/pam.d/system-auth
auth            required        pam_env.so
auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so
 
account         required        pam_unix.so
account         optional        pam_permit.so
 
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        optional        pam_permit.so
 
session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_permit.so


#auth           sufficient      pam_krb5.so use_first_pass
#auth           required        pam_deny.so
#account                sufficient      pam_krb5.so
#password       sufficient      pam_krb5.so use_authtok
#password       required        pam_deny.so
#session                optional        pam_krb5.so
Back to top
View user's profile Send private message
Christian99
Veteran
Veteran


Joined: 28 May 2009
Posts: 1668

PostPosted: Mon May 20, 2013 8:50 pm    Post subject: Reply with quote

Quote:
auth sufficient pam_unix.so try_first_pass likeauth nullok

I'm not an expert with pam, but here at my side this is required instead of sufficient and this could cause this. try changing that and report back.
Remains the question, why this is changed...
Sure you didn't do it?
Back to top
View user's profile Send private message
evlich
Tux's lil' helper
Tux's lil' helper


Joined: 17 Oct 2007
Posts: 107

PostPosted: Mon May 20, 2013 10:15 pm    Post subject: Reply with quote

Thanks a lot. That seems to have done it.

Not sure how it got changed, I didn't even know that /etc/pam.d/ existed until I started having this problems. Maybe it was a bad merge from an etc-update or something like that.
Back to top
View user's profile Send private message
Christian99
Veteran
Veteran


Joined: 28 May 2009
Posts: 1668

PostPosted: Mon May 20, 2013 11:05 pm    Post subject: Reply with quote

very unlikely. required should be the default there.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum