Bug 508 – Failure to honor asterisk "*" passhash in shadow

Bug 508 - Failure to honor asterisk "*" passhash in shadow


Summary:	Failure to honor asterisk "*" passhash in shadow

Status:	RESOLVED WONTFIX

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.1
Hardware:	PC Linux

Importance:	low low
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-08-29 02:42 MDT by Anthony Ryan
Modified:	2011-09-02 09:42 MDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Anthony Ryan 2011-08-29 02:42:21 MDT

On most systems including my Gentoo servers the use of "*" as a hash in /etc/shadow denotes that the user requires no password, but can be logged in with public key authentication.

sudo doesn't seem to honor this as a default and prompts for a password for users with this configuration.

I have a temporary workaround in place at the moment, but I would like to see this fixed.

Comment 1 Todd C. Miller 2011-08-29 08:24:26 MDT

Traditionally, a '*'  in the password field has indicated a locked account so it would not be safe for sudo to treat this as "no password", if that is what you are suggesting.  If you only want to use public key authentication I suggest you use a PAM module such as http://pam-ssh.sourceforge.net

Comment 2 Todd C. Miller 2011-08-29 08:40:59 MDT

Now, if on the other hand, you just want sudo to avoid prompting for a password (since '*' can never match an encrypted password) and treat it as an auth failure, that would be fine.  Then the next PAM auth method will have a channce.

Comment 3 Anthony Ryan 2011-08-29 13:30:08 MDT

While I would almost agree, I can observe for a fact that on Gentoo at least, and I'm fairly sure more "!" as the passhash indicates that it is a locked account, while "*" allows login.

OpenSSH 5.3 on Gentoo
        5.8 on Debian
        5.1 on FreeBSD


All seem to treat only "!" as a locked account, while "*" is a no password, but allow public key auth.

You should be able to confirm this behavior that a public key can log you in to any system "locked" with an asterisk.

Comment 4 Anthony Ryan 2011-09-01 03:24:53 MDT

If you would prefer not to fix this, would you point me to the relevant file & lines and I patch this myself for my own installations?

Thanks.

Comment 5 Todd C. Miller 2011-09-02 09:42:16 MDT

What constitutes a locked account varies widely between systems and OpenSSH includes special cases for multiple OSes.  If you look at the openssh configure.ac file you can see how it defines LOCKED_PASSWD_STRING on a per-OS basis.  For HP-UX, it is "*", for Irix, Solaris and SVR4/5 it is "*LK*".  On Linux it is not defined at all (though PAM may do its own thing).

The fact that sshd allows logins by RSA/DSA public key does not mean that the rest of the system ignores a user's password as sshd handles its own authentication in addition to being able to use PAM.  If you want PAM-aware programs that require a password to accept an ssh-style public key you need to use a PAM module like pam_ssh.

If you want to hack sudo to make it treat an encrypted password of "*" as no password, you should disable PAM support when configuring sudo (--without-pam) and modify the passwd_verify() function in the plugins/sudoers/auth/passwd.c file.