[nycbug-talk] Change password at next login?
techneck at goldenpath.org
Tue Apr 29 23:08:07 EDT 2008
Miles Nordin wrote:
> PAM isn't cool. It's also full of bugs, and its behavior can be
> reliably known only by observation which is exactly the type of
> quirkyness what you *DO NOT* want from a subsystem meant to be
> checking passwords! no, you don't have to write n * m bits of special
> code, but everyone has m broken applications, and n * m things to test
> looking for surprise security problems. and, as you found, debuggers
> don't work well any more, source code is hard to find, and the
> internal behavior of modules is not documented, only rather optimistic
> fantasies of how to configure the module are sometimes partially
> documented. PAM's an embarassment.
Thank you for the head's up. It lead me to the answer: disabling PAM in sshd
Actually, I was kind of freaked out when after your rant I thought I
better personally check up on some things I was taking for granted.
Apparently this PAM business changes sshd default behavior such that the
FreeBSD default *does* allow ssh login with a blank password. eeww.
So, I thought I'd test another service, just to see if it was only SSH
having the problem. I don't know about other pam modules, but
pam_passwdqc does not work with telnet either. It doesn't even prompt.
If you put it in login, telnet prompts, but does not enforce.
So... like I said. I've been learning a lot about PAM...
It does sound cool, but apparently has serious problems. Oh, and it's
built into the FreeBSD system default security methods and is not well
What about the other BSDs? Are they doing this as well?
More information about the talk