Blank password works for root
Bevan C. Bennett
bevan at fulcrummicro.com
Fri Jan 9 17:03:53 UTC 2004
Bill Beeman wrote:
> This is consistent, whether from console, existing command line, or ssh from
> elsewhere,
> and works whether logging in as root, or by su from another user. In
> essence, no root security.
Ok, so it's almost certainly in system-auth then.
For comparison, I have the following system-auth 'auth' section:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_ldap.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
use_first_pass
auth required /lib/security/$ISA/pam_deny.so
What does yours look like in it's entirety?
If I remove LDAP, I see the following behavior on an otherwise fresh FC1
system:
[bevan at germanium ~]> su
Password: <no password>
su: incorrect password
[bevan at germanium ~]> su
Password: <correct password>
[root at germanium bevan]#
> However, comparing /etc/pam.d/system-auth with system-auth.rpmnew, I noticed
> the line
>
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
That's normal and generally correct.
> in both. removing "likeauth nullok" seems to solve the problem, but leaves
> the question of how it got that way. System-auth notes that it will be
> regenerated and user changes discarded when authconfig is run. I'll play
> with that a bit, but don't recall running that before. Anyone have any ideas
> what may have generated this?
Hmm. Could it be that your root user really -has- a null password?
The situation (both null and true password work) could come about from a
situation where you're using an external authentication (like LDAP).
Example:
-- /etc/pam.d/system-auth --
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
--
If root has a null password in /etc/shadow, but there's also a 'root'
user in LDAP with a real password, the null passwd will succeed for the
local user through pam_unix. Using the LDAP password would fail pam_unix
but pass pam_ldap. pam_unix should be logging into /var/log/messages
during this process... what do you see there when you su with a null
password and with a real password?
Also, what does the root entry in /etc/shadow look like (obfuscate if
neccessary)?
More information about the fedora-list
mailing list