[Pkg-shadow-devel] login command authenticates with empty shadow pass.

Jon Ander Ortiz jonbaine at gmail.com
Fri Jun 18 09:28:42 UTC 2010

Hi everyone:

I don't know if this behaviour is a feature or a bug, but it was a behaviour
that i don't expect  from the login command.

I use debian 1:4.1.1-6+lenny1 login package.

I will explain how to reproduce the problem.

First of all i used passwd -d user to delete the pass of a user of my
system, as it says in the man page of passwd:

" -d, --delete

	      Delete a user's password (make it empty). This is a quick way to

	      disable a password for an account. It will set the named account


In the shadow file the pass is deleted (empty pass). As I read in the shadow
man, the key must be filled
to be valid:

       The password field must be filled. The encrypted password consists of
13 to 24
       characters from the 64 character alphabet a thru z, A thru Z, 0 thru
9, \. and
       /. Optionally it can start with a "$" character.

I get stucked when in the getty (in the tty's), i can be authenticated with
this user (with empty pass, only with an

I think that this is beacause the key is intepreted as NULL by the pam
module and in the login command, and the pam_authenticate
function returns successfull authentication in this case:

" A Null authentication token in the authentication database will result in
successful authentication unless
PAM_DISALLOW_NULL_AUTHTOK was specified. In such cases, there will not be
any prompting for the user
to enter an authentication token. "

I understand that this is not correct, and the pam_authenticate must be
to not allow the authentication of users witn NULL key. But, setting this
flag, the problem is still not solved, i thik beacause
the logging prompt return \0 instead of NULL, or something similiar. I have
not found a solution yet, and i don't send a patch
now, if i found a solution i will send a patch, but now i cannot spend more
time going deeper.

I've seen this problem in more places in the sources of the shadow package,
but imho this is the most important,
since you can authenticate from a getty places in a tty with a NULL keyed
user (made with passwd -d).

Jon ander Ortiz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20100618/1cea78d6/attachment.htm>

More information about the Pkg-shadow-devel mailing list