Under certain conditions, it is possible to log in to the web interface without knowing the user password.
To create users on hosts, we use ansible playbook. There was an error in the playbook and one user had an incorrect password hash installed in /etc/shadow
To log in via SSH, we use SSH keys, but a password is set for PVE hosts. In the PVE web interface we use PAM authentication.
What’s interesting is that if you enter an incorrect password hash or remove the password altogether using "passwd <login> --delete", you can still log in to PVE using any password.
The logs show the following message:
At first I tried to find this message in the PVE sources, but then I realized that this message was from the PAM subsystem and had nothing to do with PVE.
It's all about the settings in the file /etc/pam.d/common-auth
"nullok" allows logging in with a blank password. I tried logging into the Linux console and it worked. But it doesn't allow it via SSH because of "PermitEmptyPasswords" in the sshd config.
It seems to me that it is unsafe to allow the user to log into the administration interface when the password is not specified.
Is that how it was intended?
Maybe in future versions of PVE we can remove "nullok"?
To create users on hosts, we use ansible playbook. There was an error in the playbook and one user had an incorrect password hash installed in /etc/shadow
To log in via SSH, we use SSH keys, but a password is set for PVE hosts. In the PVE web interface we use PAM authentication.
What’s interesting is that if you enter an incorrect password hash or remove the password altogether using "passwd <login> --delete", you can still log in to PVE using any password.
The logs show the following message:
Code:
IPCC.xs[923128]: pam_unix(proxmox-ve-auth:auth): user [test-user] has blank password; authenticated without it
pvedaemon[923128]: <root@pam> successful authentication for user 'test-user@pam'At first I tried to find this message in the PVE sources, but then I realized that this message was from the PAM subsystem and had nothing to do with PVE.
It's all about the settings in the file /etc/pam.d/common-auth
Code:
...
auth [success=1 default=ignore] pam_unix.so nullok
..."nullok" allows logging in with a blank password. I tried logging into the Linux console and it worked. But it doesn't allow it via SSH because of "PermitEmptyPasswords" in the sshd config.
It seems to me that it is unsafe to allow the user to log into the administration interface when the password is not specified.
Is that how it was intended?
Maybe in future versions of PVE we can remove "nullok"?
