On Mon, Oct 03, 2005 at 08:26:22AM -0700, Max Alekseyev wrote: > I've found that if user with empty password is *the only* user in > vsftpd_login.db then it is *not* authenticated by either version.
> Please create at least two users (with logins.txt shown above): first with > empty password, second with non-empty password. > Then the first user will be well authenticated with libpam-modules 0.76-23 > but not with 0.79-*. > I believe that is some sort of bug in libpam-modules. Aha, ok. So after adding two users, trying to log in via su with an empty password *succeeds* with libpam-modules 0.79-3 here. Trying to log in to vsftp using your exact config fails; but this problem is specific to the authorization component of the module, not the authentication component. The regression in the authorization component can be explained by the fact that in Linux-PAM 0.76, pam_userdb's pam_sm_acct_mgmt function didn't do anything except return PAM_SUCCESS. In 0.79, it attempts to verify that the user is present in the database before returning. But if you've already authenticated the user via pam_userdb, this check is redundant; I recommend simply dropping the 'account' line from your vsftpd config. Yes, there's still a regression in pam_userdb's pam_sm_acct_mgmt(), but since I'm not sure why this code works *at all* for empty passwords, I'm not really in a position to track this down. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature
