While experimenting with PCI DSS on a default Debian Linux system, I found that when I comment out this line:
auth required pam_unix.so nullok_secure in /etc/pam.d/common-auth, any account may ssh into the box by typing anything as the password. Is this the desired behavior? I would think that it would fail by default. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cc5f3c3.5020...@vt.edu
