Blank password works for root

Bevan C. Bennett bevan at fulcrummicro.com
Fri Jan 9 17:03:53 UTC 2004 

Bill Beeman wrote:

> This is consistent, whether from console, existing command line, or ssh from
> elsewhere,
> and works whether logging in as root, or by su from another user.  In
> essence, no root security.

Ok, so it's almost certainly in system-auth then.
For comparison, I have the following system-auth 'auth' section:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_ldap.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok 
use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

What does yours look like in it's entirety?

If I remove LDAP, I see the following behavior on an otherwise fresh FC1 
system:
[bevan at germanium ~]> su
Password: <no password>
su: incorrect password
[bevan at germanium ~]> su
Password: <correct password>
[root at germanium bevan]#

> However, comparing /etc/pam.d/system-auth with system-auth.rpmnew, I noticed
> the line
> 
> auth       sufficient     /lib/security/$ISA/pam_unix.so   likeauth nullok

That's normal and generally correct.

> in both. removing "likeauth nullok" seems to solve the problem, but leaves
> the question of how it got that way.  System-auth notes that it will be
> regenerated and user changes discarded when authconfig is run.  I'll play
> with that a bit, but don't recall running that before. Anyone have any ideas
> what may have generated this?

Hmm. Could it be that your root user really -has- a null password?
The situation (both null and true password work) could come about from a 
situation where you're using an external authentication (like LDAP).

Example:
-- /etc/pam.d/system-auth --
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
--

If root has a null password in /etc/shadow, but there's also a 'root' 
user in LDAP with a real password, the null passwd will succeed for the 
local user through pam_unix. Using the LDAP password would fail pam_unix 
but pass pam_ldap. pam_unix should be logging into /var/log/messages 
during this process... what do you see there when you su with a null 
password and with a real password?

Also, what does the root entry in /etc/shadow look like (obfuscate if 
neccessary)?

More information about the fedora-list mailing list