lists.arthurdejong.org
RSS feed

Empty passwords

[Date Prev][Date Next] [Thread Prev][Thread Next]

Empty passwords

nss-pam-ldapd allows people to login against an eDirectory server
regardless of their password as long as they type an empty password.

eDirectory assumes that binds with an empty password are anonymous
binds, so binds with empty or NULL passwords always succeed.  Hence
logins with an empty password always succeed.  This anonymous access is
meant to have limited rights, and should certainly not allow you to log in.

I would assume that PAM's nullok option might intervene, but it
doesn't.  With nullok not set you can still login.  I don't think that
nullok would work as intended here either: it's supposed to allow empty
passwords if the password server has an empty password for that user.

The attached patch just dumps empty passwords on the floor.  (yes, this
patch is against 0.7.3, not 0.7.6)

The correct patch would check eDirectory's response to find out if it
resulted in an anonymous (restricted access) bind.  Maybe the correct
solution is to play with minimum_uid or somesuch.


Regards,
Berend

I apologise for the disclaimer.


The contents of and attachments to this e-mail are intended for the addressee 
only, and may contain the confidential information of UCS Group and/or its 
subsidiaries.  Any review, use or dissemination thereof by anyone other than 
the intended addressee is prohibited.  If you are not the intended addressee 
please notify the writer immediately and destroy the e-mail.  UCS Group Limited 
and its subsidiaries distance themselves from and accept no liability for 
unauthorised use of their e-mail facilities or e-mails sent other than strictly 
for business purposes.

Attachment: nss.emptypasswd.patch
Description: Text Data

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users