Bug 508

Summary: Failure to honor asterisk "*" passhash in shadow
Product: Sudo Reporter: Anthony Ryan <anthonyryan1>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED WONTFIX    
Severity: low CC: keanu1031
Priority: low    
Version: 1.8.1   
Hardware: PC   
OS: Linux   

Description Anthony Ryan 2011-08-29 02:42:21 MDT 
On most systems including my Gentoo servers the use of "*" as a hash in /etc/shadow denotes that the user requires no password, but can be logged in with public key authentication.

sudo doesn't seem to honor this as a default and prompts for a password for users with this configuration.

I have a temporary workaround in place at the moment, but I would like to see this fixed.
Comment 1 Todd C. Miller 2011-08-29 08:24:26 MDT 
Traditionally, a '*'  in the password field has indicated a locked account so it would not be safe for sudo to treat this as "no password", if that is what you are suggesting.  If you only want to use public key authentication I suggest you use a PAM module such as http://pam-ssh.sourceforge.net
Comment 2 Todd C. Miller 2011-08-29 08:40:59 MDT 
Now, if on the other hand, you just want sudo to avoid prompting for a password (since '*' can never match an encrypted password) and treat it as an auth failure, that would be fine.  Then the next PAM auth method will have a channce.
Comment 3 Anthony Ryan 2011-08-29 13:30:08 MDT 
While I would almost agree, I can observe for a fact that on Gentoo at least, and I'm fairly sure more "!" as the passhash indicates that it is a locked account, while "*" allows login.

OpenSSH 5.3 on Gentoo
        5.8 on Debian
        5.1 on FreeBSD


All seem to treat only "!" as a locked account, while "*" is a no password, but allow public key auth.

You should be able to confirm this behavior that a public key can log you in to any system "locked" with an asterisk.
Comment 4 Anthony Ryan 2011-09-01 03:24:53 MDT 
If you would prefer not to fix this, would you point me to the relevant file & lines and I patch this myself for my own installations?

Thanks.
Comment 5 Todd C. Miller 2011-09-02 09:42:16 MDT 
What constitutes a locked account varies widely between systems and OpenSSH includes special cases for multiple OSes.  If you look at the openssh configure.ac file you can see how it defines LOCKED_PASSWD_STRING on a per-OS basis.  For HP-UX, it is "*", for Irix, Solaris and SVR4/5 it is "*LK*".  On Linux it is not defined at all (though PAM may do its own thing).

The fact that sshd allows logins by RSA/DSA public key does not mean that the rest of the system ignores a user's password as sshd handles its own authentication in addition to being able to use PAM.  If you want PAM-aware programs that require a password to accept an ssh-style public key you need to use a PAM module like pam_ssh.

If you want to hack sudo to make it treat an encrypted password of "*" as no password, you should disable PAM support when configuring sudo (--without-pam) and modify the passwd_verify() function in the plugins/sudoers/auth/passwd.c file.