Hi everyone:<br><br>I don't know if this behaviour is a feature or a bug, but it was a behaviour that i don't expect from the login command.<br><br>I use debian 1:4.1.1-6+lenny1 login package.<br><br>I will explain how to reproduce the problem.<br>
<br>First of all i used passwd -d user to delete the pass of a user of my system, as it says in the man page of passwd:<br><br>" -d, --delete<br><pre> Delete a user's password (make it empty). This is a quick way to<br>
disable a password for an account. It will set the named account<br> passwordless.<br></pre>"<br><br>In the shadow file the pass is deleted (empty pass). As I read in the shadow man, the key must be filled <br>
to be valid:<br><br>"<br> The password field must be filled. The encrypted password consists of 13 to 24<br> characters from the 64 character alphabet a thru z, A thru Z, 0 thru 9, \. and<br> /. Optionally it can start with a "$" character.<br>
"<br><br>I get stucked when in the getty (in the tty's), i can be authenticated with this user (with empty pass, only with an <br>enter).<br><br>I think that this is beacause the key is intepreted as NULL by the pam module and in the login command, and the pam_authenticate<br>
function returns successfull authentication in this case:<br><br>"
A Null authentication token in the authentication database will result
in successful authentication unless <br>PAM_DISALLOW_NULL_AUTHTOK was
specified.
In such cases, there will not be any prompting for the user
<br>to enter an authentication token.
"<br><br>I understand that this is not correct, and the pam_authenticate must be called with PAM_DISALLOW_NULL_AUTHTOK<br>to not allow the authentication of users witn NULL key. But, setting this flag, the problem is still not solved, i thik beacause <br>
the logging prompt return \0 instead of NULL, or something similiar. I have not found a solution yet, and i don't send a patch<br>now, if i found a solution i will send a patch, but now i cannot spend more time going deeper.<br>
<br>I've seen this problem in more places in the sources of the shadow package, but imho this is the most important, <br>
since you can authenticate from a getty places in a tty with a NULL keyed user (made with passwd -d).<br><br><br>BR: <br>Jon ander Ortiz<br><br><br>