# [SOLVED] Blank Password Always Works

## evlich

For some reason, anytime that I am asked to enter a password (e.g. login in kdm, sudo, etc.) the blank password always works. Can anyone suggest some places where I should start looking to solve this problem? My thought was it has something to do with pam, but I've never messed with any of the pam files.

Thanks.Last edited by evlich on Mon May 20, 2013 10:16 pm; edited 1 time in total

----------

## Christian99

sudo itself can be configured to not require a password. but i think there shouldn't be a password prompt at all instead of accepting an empty one.

have you tried changing your password already?

and are wrong passwords are also accepted ?

Also there is a (very theoretical) chance for a hash collision, but that's very unlikely

----------

## evlich

Thanks for the ideas. I tried setting my password, but that didn't change anything. One thing that I didn't say correctly is that it isn't just that the empty password works, anything works. It is as if the password checker is just the function that ignores the input and returns true.

You mention about hashing made me think that this might have to do with kernel implementations of hash functions. Is that a possibility? I'm not sure what would be wrong with my kernel config, but it would that be possible?

----------

## mv

Do you actually have set passwords for root and for your users?

Check you /etc/shadow file: The entries between the first and second ':' should never be empty but should contain the hash of your password. Invoke "passwd" with the corresponding user if you have not set it (or use a dummy like ! or * if passwords should never succeed). man 5 shadow

----------

## evlich

None of them are empty. Some have ! or !!, but none are empty.

----------

## Christian99

though you said, you didn't change your pam files, let's check them. They are in /etc/pam.d/

for the beginning please post: login sshd system-local-login system-remote-login system-login system-auth

----------

## evlich

Here they are:

```
/etc/pam.d/login

auth       required     pam_securetty.so

auth       include      system-local-login

account    include      system-local-login

password   include      system-local-login

session    include      system-local-login

```

```
/etc/pam.d/sshd

auth       include      system-remote-login

account    include      system-remote-login

password   include      system-remote-login

session    include      system-remote-login

```

```
/etc/pam.d/system-local-login

auth            include         system-login

account         include         system-login

password        include         system-login

session         include         system-login

```

```
/etc/pam.d/system-remote-login

auth            include         system-login

account         include         system-login

password        include         system-login

session         include         system-login

```

```
/etc/pam.d/system-login

auth            required        pam_tally2.so onerr=succeed

auth            required        pam_shells.so 

auth            required        pam_nologin.so 

auth            include         system-auth

 

account         required        pam_access.so 

account         required        pam_nologin.so 

account         include         system-auth

account         required        pam_tally2.so onerr=succeed 

 

password        include         system-auth

 

session         optional        pam_loginuid.so

session         required        pam_env.so 

session         optional        pam_lastlog.so 

session         include         system-auth

session         optional        pam_ck_connector.so nox11

session         optional        pam_motd.so motd=/etc/motd

session         optional        pam_mail.so

  

```

```
/etc/pam.d/system-auth

auth            required        pam_env.so 

auth            sufficient      pam_unix.so try_first_pass likeauth nullok 

auth            optional        pam_permit.so

 

account         required        pam_unix.so 

account         optional        pam_permit.so

 

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 

password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow 

password        optional        pam_permit.so

 

session         required        pam_limits.so 

session         required        pam_env.so 

session         required        pam_unix.so 

session         optional        pam_permit.so

#auth           sufficient      pam_krb5.so use_first_pass

#auth           required        pam_deny.so

#account                sufficient      pam_krb5.so

#password       sufficient      pam_krb5.so use_authtok

#password       required        pam_deny.so

#session                optional        pam_krb5.so

```

----------

## Christian99

 *Quote:*   

> auth            sufficient      pam_unix.so try_first_pass likeauth nullok 

 

I'm not an expert with pam, but here at my side this is required instead of sufficient and this could cause this. try changing that and report back.

Remains the question, why this is changed...

Sure you didn't do it?

----------

## evlich

Thanks a lot. That seems to have done it.

Not sure how it got changed, I didn't even know that /etc/pam.d/ existed until I started having this problems. Maybe it was a bad merge from an etc-update or something like that.

----------

## Christian99

very unlikely. required should be the default there.

----------

