PAM: password validation error
| Package(s): | pam |
CVE #(s): | |
| Created: | October 23, 2002 |
Updated: | October 23, 2002 |
| Description: |
Paul Aurich and Samuele Giovanni Tonon discovered a serious security
violation in PAM. Disabled passwords (i.e. those with '*' in the
password file) are treated as if they were empty and access to such
accounts is granted through the regular login procedure (getty,
telnet, ssh). This works for all such accounts whose shell field in
the password file does not refer to /bin/false. Only version 0.76 of
PAM seems to be affected by this problem. |
| Alerts: |
|
