sshd: "none" authentication module quirk.

Description

See PR discussion: https://github.com/OpenXT/xenclient-oe/pull/951

The auth2-none is responsible for handling the PermitEmptyPasswords option. Whenever that option is set, sshd will try to login all users without a passwords.
For users that do have a password, that means a failed login attempt and a 2 seconds retry timeout. auth-passwd can handle empty password, clients can just press enter when prompted for a password.

Although AuthenticationMethods does not appear in the man sshd_config, it is understood by sshd. When using AuthenticationMethods password, if root has a has in /etc/shadow for an empty password, like $1$aIKg1Jne$qMOTnqQ8VxV5md/xTPx.V/, then any password will log you in, except for the empty string. This looks very wrong.

Validation Steps

  1. If a user has a password, setting PermitEmptyPasswords should not obviously have sshd try to login without a password (and enforce the retry timeout).

  2. If a user has a hash in /etc/shadow for an empty password, only the empty string should log the user in.

Assignee

Unassigned

Reporter

Eric Chanudet

Labels

None

QA Assignee

None

QA Image URL

None

Components

Priority

Critical
Configure