Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Empty vs NULL passwords

807559Dec 22 2004 — edited Dec 23 2004

To enforce users to authenticate themselves we have set the parameter PermitEmptyPasswords to no in the SSH configuration file and PASSREQ parameter in the login configuration file to yes. When the password field of an account in /etc/shadow is NULL, '::':
- logins -p shows the account,
- logging on via the console will prompt me to set a password before giving access
- logging on via SSH will be denied and the log shows that NULL passwords are not allowed.

Now, set empty the password of an account by pressing enter as superuser while asked for the new password:
- logins -p will not show the account
- Logins via the console are allowed
- Logins via SSH are allowed

This means empty passwords are not the same as NULL passwords, while the security risk is the same.

Is this a design error or a wellthought feature?

Regards,
Rene.

Locked Post

New comments cannot be posted to this locked post.

Locked on Jan 20 2005

Added on Dec 22 2004

#oracle-solaris, #solaris-9

2 comments

432 views