Re: Surprise null root password
- Reply: Dag-Erling_Smørgrav : "Re: Surprise null root password"
- In reply to: Mike Karels : "Re: Surprise null root password"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 27 May 2023 09:39:12 UTC
On 27 May 2023, at 03:52, Mike Karels <mike@karels.net> wrote: > > On 26 May 2023, at 21:28, bob prohaska wrote: > >> It turns out all seven hosts in my cluster report >> a null password for root in /usr/src/etc/master.passwd: >> root::0:0::0:0:Charlie &:/root:/bin/sh >> >> Is that intentional? > > Well, it has been that way in FreeBSD since 1993, and in BSD since > 1980 (4.0BSD). I guess you would say that it is intentional. The > alternative would be to have a well-known password like root, but > then it wouldn’t be as obvious that a local password had not been > set. There was a very nasty POLA violation a release or two ago. OpenSSH defaults to disallowing empty passwords and so having a null password was a convenient way of allowing people to su or locally log into that user but disallowing ssh. This option does not work in recent versions of FreeBSD. Turning on the option to permit root login while keeping the root password blank used to be (mostly) safe because it permitted su to root from people in the wheel group, root login via SSH key remotely (for ‘everything is broken I can’t log in as a user whose home directory is not on the root filesystem’ recovery) and local login as root from consoles marked as secure. It now permits root login from the network with a blank password. David