TUCoPS :: Linux :: Apps N-Z :: lnx5763.htm

PAM authentification bypass via disabled accounts
18th Oct 2002 [SBWID-5763]
COMMAND

	PAM authentification bypass via disabled accounts

SYSTEMS AFFECTED

	?

PROBLEM

	In       Debian       Security        Advisory        [DSA        177-1]
	[http://www.debian.org/security/] :
	

	--snip--
	

	Paul Aurich and Samuele Giovanni Tonon  discovered  a  serious  security
	violation in PAM.  Disabled  passwords  (i.e.  those  with  '*'  in  the
	password file) were classified as empty  password  and  access  to  such
	accounts is granted through the regular login procedure (getty,  telnet,
	ssh). This works  for  all  such  accounts  whose  shell  field  in  the
	password file does not refer to /bin/false. Only  version  0.76  of  PAM
	seems to be affected by this problem.
	

	--snap--

SOLUTION

	This problem has been fixed in version 0.76-6 for the  current  unstable
	distribution (sid). The stable  distribution  (woody),  the  old  stable
	distribution (potato) and  the  testing  distribution  (sarge)  are  not
	affected by this problem.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH