If is anybody interested in testing for this case, the below command will show if you have users with empty passwords on your server
cut -f1 -d: /etc/passwd | sudo xargs -n1 passwd --status | grep Empty Em qui, 10 de jan de 2019 às 23:26, Daniel. <[email protected]> escreveu: > Hi everybody > > I just installed cockpit in a server that I have access exclusively with > ssh keys, my surprise is that the user hasn't a password and installing > cockpit make possible to login without password opening a breach. Having > users without password is a problem but if you have ssh set up to enforce > key authentication this problem can happen silently, once you install > cockpit anyone with access to the servers 9090 port and the user name will > gain access to the server. > > Again i still think that the cause is the user without password, but would > be nice if cockpit enforce password authentication to avoid this, what you > guys think? > > Regards, > > PS: I tested with cockpit 176 from centos 7.6 repos > -- > “If you're going to try, go all the way. Otherwise, don't even start. ..." > Charles Bukowski > -- “If you're going to try, go all the way. Otherwise, don't even start. ..." Charles Bukowski
_______________________________________________ cockpit-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
