On 30/05/2023 20:11, Dag-Erling Smørgrav wrote:
David Chisnall<thera...@freebsd.org> writes:
There was a very nasty POLA violation a release or two ago. OpenSSH
defaults to disallowing empty passwords and so having a null password
was a convenient way of allowing people to su or locally log into that
user but disallowing ssh. This option does not work in recent
versions of FreeBSD. Turning on the option to permit root login while
keeping the root password blank used to be (mostly) safe because it
permitted su to root from people in the wheel group, root login via
SSH key remotely (for ‘everything is broken I can’t log in as a user
whose home directory is not on the root filesystem’ recovery) and
local login as root from consoles marked as secure. It now permits
root login from the network with a blank password.
That is incorrect. PermitRootLogin defaults to “no” in FreeBSD and to
“prohibit-password” upstream (and presumably in the port), while
PermitEmptyPasswords defaults to “no” both in FreeBSD and upstream,
cf. crypto/openssh/servconf.c (search for “permit_root” and
“permit_empty”).
I didn't say it defaulted to anything else, but if you enable
PermitRootLogin then you have a nasty surprise because
PermitEmptyPasswords=no does not do anything and you can still log in
via an empty password.
There is presumably something I can put in pam.d that will prevent
password-based login (without fully disabling keyboard-interactive from
sshd_config) but I have never successfully understood anything after
reading the PAM documentation.
David
