Thanks Martin, I created a password for this my empty password user, I just want to report the possible breach and give everybody a way to fix it. Thanks for sharing the solution, I will add checks for empty passwords in my monitoring tools
Regards, Em sex, 11 de jan de 2019 às 05:37, Martin Pitt <[email protected]> escreveu: > Hello Daniel, > > Daniel. [2019-01-10 23:26 -0200]: > > I just installed cockpit in a server that I have access exclusively with > > ssh keys, my surprise is that the user hasn't a password and installing > > cockpit make possible to login without password opening a breach. > > *Never* have users with an empty password (i. e. no password)! As you see, > this > will allow anyone else to log into the system as that user, via cockpit or > su. > Just disabling one avenue of login (e. g. by disabling password > authentication > in sshd_config) leaves too many other holes open. > > Note that cockpit is doing nothing special, /etc/pam.d/cockpit just > includes > the common "password-auth" PAM module. > > The proper way to configure such user accounts is to not have a valid empty > password, but a locked one: > > sudo passwd --lock thatuser > > Martin > _______________________________________________ > cockpit-devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- “If you're going to try, go all the way. Otherwise, don't even start. ..." Charles Bukowski
_______________________________________________ cockpit-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
