From nobody Tue May 30 19:36:47 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QW2hv6m1kz4Y38C for ; Tue, 30 May 2023 19:37:03 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QW2ht2cHDz4Cs1 for ; Tue, 30 May 2023 19:37:02 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=oOv7W6Vw; spf=none (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl has no SPF policy when checking 2001:678:618::40) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl; dmarc=pass (policy=none) header.from=plan-b.pwste.edu.pl Received: from [IPV6:2a02:22e0:cf00:1ff:85d3:3a8c:2653:140e] (mzar@[IPv6:2a02:22e0:cf00:1ff:85d3:3a8c:2653:140e]) (authenticated bits=0) by plan-b.pwste.edu.pl (8.17.1/8.17.1) with ESMTPSA id 34UJanBh009316 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Tue, 30 May 2023 21:36:49 +0200 (CEST) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1685475412; bh=nfxGPZdN67wZrrRWKuqCBy5FM9pWUN9/3BCcMkBROMk=; h=Date:Subject:To:References:From:In-Reply-To; b=oOv7W6VwLTrKThWObmaGZLihb2EEV0T9FqwU85QZ05jwoZIg44fN5CzHZfTf8ock2 OwrZ5m/Na8dEVLADBMjveBspkD44Y4lZYf9eck2kBZC87aborym5JQAw5wG8scpfrN MbXYqw6iZ0cEEAcoopZGKwH32U6upNCjTYTb1sQEGOABOGWYbaSQs6qes1gn4/jluz p/Mu4EMxQKT83/gEcDWX3D03G011uCP/Ok1Ik4AqpQ7kPPyDu5MjPmnZIMKBpvmEDf /qDDSsqqE0232sig0FFCISGMFZOqc7IFHkkTZxQ6wyalt+3esyvOcuea6h4yMAB/6v TGY/0ePcAnw4Q== Message-ID: <83f96e4b-7f27-a34c-0c0a-5e348e3b28d1@plan-b.pwste.edu.pl> Date: Tue, 30 May 2023 21:36:47 +0200 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Subject: Re: Surprise null root password Content-Language: en-US To: freebsd-current@freebsd.org References: From: Marek Zarychta In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [-3.79 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-0.99)[-0.995]; DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,none]; R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_SPF_NA(0.00)[no SPF record]; ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]; MIME_TRACE(0.00)[0:+]; DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4QW2ht2cHDz4Cs1 X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N W dniu 26.05.2023 o 19:35, bob prohaska pisze: > While going through normal security email from a Pi2 > running -current I was disturbed to find: > > Checking for passwordless accounts: > root::0:0::0:0:Charlie &:/root:/bin/sh This thread reminded me of another issue with passwords I encountered a few years ago. Setting stronger passwords by users can be enforced by pam_passwdqc(8). But if the password expiration policy is enabled, it doesn't work since the password change for expired passwords is called by ssh or login PAM module, thus to enforce stronger passwords for users with passwords expired pam_passwdqc should be added also to both: /etc/pam.d/{login,sshd}, otherwise user with an expired password just presses return twice during the login prompt and has an empty password set. I even have risen D27656 some time ago, but it had gained not much interest except for some rephrasing/grammar advice. So to use a password expiration policy and enforce high-quality passwords together, pam_passwdqc(8) has to activated in the three:  /etc/pam.d/{login,passwd,sshd}. Cheers -- Marek Zarychta