Re: Surprise null root password

On 30/05/2023 20:11, Dag-Erling Smørgrav wrote:
> David Chisnall<theraven@FreeBSD.org>  writes:
>> There was a very nasty POLA violation a release or two ago.  OpenSSH
>> defaults to disallowing empty passwords and so having a null password
>> was a convenient way of allowing people to su or locally log into that
>> user but disallowing ssh.  This option does not work in recent
>> versions of FreeBSD.  Turning on the option to permit root login while
>> keeping the root password blank used to be (mostly) safe because it
>> permitted su to root from people in the wheel group, root login via
>> SSH key remotely (for ‘everything is broken I can’t log in as a user
>> whose home directory is not on the root filesystem’ recovery) and
>> local login as root from consoles marked as secure.  It now permits
>> root login from the network with a blank password.
> That is incorrect.  PermitRootLogin defaults to “no” in FreeBSD and to
> “prohibit-password” upstream (and presumably in the port), while
> PermitEmptyPasswords defaults to “no” both in FreeBSD and upstream,
> cf. crypto/openssh/servconf.c (search for “permit_root” and
> “permit_empty”).

I didn't say it defaulted to anything else, but if you enable 
PermitRootLogin then you have a nasty surprise because 
PermitEmptyPasswords=no does not do anything and you can still log in 
via an empty password.

There is presumably something I can put in pam.d that will prevent 
password-based login (without fully disabling keyboard-interactive from 
sshd_config) but I have never successfully understood anything after 
reading the PAM documentation.

David