Re: Surprise null root password
- Reply: David Chisnall : "Re: Surprise null root password"
- In reply to: David Chisnall : "Re: Surprise null root password"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 30 May 2023 19:11:03 UTC
David Chisnall <theraven@FreeBSD.org> writes: > There was a very nasty POLA violation a release or two ago. OpenSSH > defaults to disallowing empty passwords and so having a null password > was a convenient way of allowing people to su or locally log into that > user but disallowing ssh. This option does not work in recent > versions of FreeBSD. Turning on the option to permit root login while > keeping the root password blank used to be (mostly) safe because it > permitted su to root from people in the wheel group, root login via > SSH key remotely (for ‘everything is broken I can’t log in as a user > whose home directory is not on the root filesystem’ recovery) and > local login as root from consoles marked as secure. It now permits > root login from the network with a blank password. That is incorrect. PermitRootLogin defaults to “no” in FreeBSD and to “prohibit-password” upstream (and presumably in the port), while PermitEmptyPasswords defaults to “no” both in FreeBSD and upstream, cf. crypto/openssh/servconf.c (search for “permit_root” and “permit_empty”). DES -- Dag-Erling Smørgrav - des@FreeBSD.org