View previous topic :: View next topic |
Author |
Message |
evlich Tux's lil' helper
Joined: 17 Oct 2007 Posts: 107
|
Posted: Mon May 20, 2013 4:48 am Post subject: [SOLVED] Blank Password Always Works |
|
|
For some reason, anytime that I am asked to enter a password (e.g. login in kdm, sudo, etc.) the blank password always works. Can anyone suggest some places where I should start looking to solve this problem? My thought was it has something to do with pam, but I've never messed with any of the pam files.
Thanks.
Last edited by evlich on Mon May 20, 2013 10:16 pm; edited 1 time in total |
|
Back to top |
|
|
Christian99 Veteran
Joined: 28 May 2009 Posts: 1668
|
Posted: Mon May 20, 2013 8:27 am Post subject: |
|
|
sudo itself can be configured to not require a password. but i think there shouldn't be a password prompt at all instead of accepting an empty one.
have you tried changing your password already?
and are wrong passwords are also accepted ?
Also there is a (very theoretical) chance for a hash collision, but that's very unlikely |
|
Back to top |
|
|
evlich Tux's lil' helper
Joined: 17 Oct 2007 Posts: 107
|
Posted: Mon May 20, 2013 12:20 pm Post subject: |
|
|
Thanks for the ideas. I tried setting my password, but that didn't change anything. One thing that I didn't say correctly is that it isn't just that the empty password works, anything works. It is as if the password checker is just the function that ignores the input and returns true.
You mention about hashing made me think that this might have to do with kernel implementations of hash functions. Is that a possibility? I'm not sure what would be wrong with my kernel config, but it would that be possible? |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Mon May 20, 2013 12:30 pm Post subject: |
|
|
Do you actually have set passwords for root and for your users?
Check you /etc/shadow file: The entries between the first and second ':' should never be empty but should contain the hash of your password. Invoke "passwd" with the corresponding user if you have not set it (or use a dummy like ! or * if passwords should never succeed). man 5 shadow |
|
Back to top |
|
|
evlich Tux's lil' helper
Joined: 17 Oct 2007 Posts: 107
|
Posted: Mon May 20, 2013 2:35 pm Post subject: |
|
|
None of them are empty. Some have ! or !!, but none are empty. |
|
Back to top |
|
|
Christian99 Veteran
Joined: 28 May 2009 Posts: 1668
|
Posted: Mon May 20, 2013 4:06 pm Post subject: |
|
|
though you said, you didn't change your pam files, let's check them. They are in /etc/pam.d/
for the beginning please post: login sshd system-local-login system-remote-login system-login system-auth |
|
Back to top |
|
|
evlich Tux's lil' helper
Joined: 17 Oct 2007 Posts: 107
|
Posted: Mon May 20, 2013 8:02 pm Post subject: |
|
|
Here they are:
Code: | /etc/pam.d/login
auth required pam_securetty.so
auth include system-local-login
account include system-local-login
password include system-local-login
session include system-local-login
|
Code: | /etc/pam.d/sshd
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login
|
Code: | /etc/pam.d/system-local-login
auth include system-login
account include system-login
password include system-login
session include system-login
|
Code: | /etc/pam.d/system-remote-login
auth include system-login
account include system-login
password include system-login
session include system-login
|
Code: | /etc/pam.d/system-login
auth required pam_tally2.so onerr=succeed
auth required pam_shells.so
auth required pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
account required pam_tally2.so onerr=succeed
password include system-auth
session optional pam_loginuid.so
session required pam_env.so
session optional pam_lastlog.so
session include system-auth
session optional pam_ck_connector.so nox11
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so
|
Code: | /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth optional pam_permit.so
account required pam_unix.so
account optional pam_permit.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
#auth sufficient pam_krb5.so use_first_pass
#auth required pam_deny.so
#account sufficient pam_krb5.so
#password sufficient pam_krb5.so use_authtok
#password required pam_deny.so
#session optional pam_krb5.so
|
|
|
Back to top |
|
|
Christian99 Veteran
Joined: 28 May 2009 Posts: 1668
|
Posted: Mon May 20, 2013 8:50 pm Post subject: |
|
|
Quote: | auth sufficient pam_unix.so try_first_pass likeauth nullok |
I'm not an expert with pam, but here at my side this is required instead of sufficient and this could cause this. try changing that and report back.
Remains the question, why this is changed...
Sure you didn't do it? |
|
Back to top |
|
|
evlich Tux's lil' helper
Joined: 17 Oct 2007 Posts: 107
|
Posted: Mon May 20, 2013 10:15 pm Post subject: |
|
|
Thanks a lot. That seems to have done it.
Not sure how it got changed, I didn't even know that /etc/pam.d/ existed until I started having this problems. Maybe it was a bad merge from an etc-update or something like that. |
|
Back to top |
|
|
Christian99 Veteran
Joined: 28 May 2009 Posts: 1668
|
Posted: Mon May 20, 2013 11:05 pm Post subject: |
|
|
very unlikely. required should be the default there. |
|
Back to top |
|
|
|