Package: login Version: 1:4.13+dfsg1-1+b1 Severity: serious X-Debbugs-Cc: ircu...@gmail.com
Dear Maintainer, On a newly installed debian bookworm /usr/share/doc/passwd/NEWS.Debian.gz mentions a new PREVENT_NO_AUTH option that is supposed to prevent login to passwordless accounts. The option is found in /etc/login.defs and has the default value: PREVENT_NO_AUTH superuser I removed root password using `passwd -d root` so that `grep root /etc/shadow` reads: root::19519:0:99999:7::: I can now login to root on a tty just by typing root as the login name. I can also login to root just by typing `su` from a regular user account. "PREVENT_NO_AUTH superuser" has no effect. I then changed the option to "PREVENT_NO_AUTH yes", which is supposed to prevent all passwordless account login. I created a new user account `useradd -m -s /bin/bash testuser` and deleted its password `passwd -d testuser`. If I run `grep testuser /etc/shadow` it reads: testuser::19558:0:99999:7::: I can now also login to this account on a tty without any password. `su newuser` also doesn't need any password. I can also still login to the root account by doing `su`. https://sources.debian.org/src/shadow/1:4.13+dfsg1-1/src/su.c/?hl=504#L504 and https://sources.debian.org/src/shadow/1:4.13+dfsg1-1/src/login.c/?hl=980#L980 indicate that this should not be possible. It looks like PREVENT_NO_AUTH doesn't do anything at all. This was replicated on IRC by another user too. -- System Information: Debian Release: 12.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-9-amd64 (SMP w/1 CPU thread; PREEMPT) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages login depends on: ii libaudit1 1:3.0.9-1 ii libc6 2.36-9 ii libcrypt1 1:4.4.33-2 ii libpam-modules 1.5.2-6 ii libpam-runtime 1.5.2-6 ii libpam0g 1.5.2-6 login recommends no packages. login suggests no packages. -- Configuration Files: /etc/login.defs changed: MAIL_DIR /var/mail FAILLOG_ENAB yes LOG_UNKFAIL_ENAB no LOG_OK_LOGINS no SYSLOG_SU_ENAB yes SYSLOG_SG_ENAB yes FTMP_FILE /var/log/btmp SU_NAME su HUSHLOGIN_FILE .hushlogin ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games TTYGROUP tty TTYPERM 0600 ERASECHAR 0177 KILLCHAR 025 UMASK 022 PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 UID_MIN 1000 UID_MAX 60000 SUB_UID_MIN 100000 SUB_UID_MAX 600100000 SUB_UID_COUNT 65536 GID_MIN 1000 GID_MAX 60000 SUB_GID_MIN 100000 SUB_GID_MAX 600100000 SUB_GID_COUNT 65536 LOGIN_RETRIES 5 LOGIN_TIMEOUT 60 CHFN_RESTRICT rwh DEFAULT_HOME yes USERGROUPS_ENAB yes ENCRYPT_METHOD SHA512 NONEXISTENT /nonexistent PREVENT_NO_AUTH yes -- no debconf information
