Hello,
What is reasoning (or tradition) behind nullok option being set for auth
by default in Debian?
From what I see in the repository it was added back in 2008 in commit
35579f1ad5c4 ("first sample config for the pam framework") and only changed
once removing the suffix s/_secure// since the other one was an alias.
By default, SSH server's PermitEmptyPasswords=no is seemingly blocking
this option. However, anything else using common-* pam configs will not
inherit this behaviour from SSH. For instance, Dovecot - its package
installs pam config that @includes common-auth allowing attackers to,
for example, send mails assuming Dovecot auths SMTP server via SASL.
If the reason for nullok is tty login, wouldn't it be better to assume
this privilege only for the login's pam configuration?
--
slj
