Empty root user password allows login with any password

[SagnikS]

If the root user doesn't have a password set, or is deleted (using passwd -d root), the Proxmox WebUI allows login with any arbitrary password.

This could potentially be a huge vulnerability. For example, a Debian 12 server is delivered with a blank root password and SSH key only auth. And then someone installs Proxmox on it, which leaves a time window for any attacker to get into the server. It would be great if Proxmox could either remove nullok from /etc/pam.d/common-auth, or disallow logins entirely if a user's password is blank.

 

[gurubert]

The root password field in /etc/shadow should never be empty.

Put an x or an exclamation mark (just not a valid hash value) in it to disable password based logins for the account.

This is nothing new. A blank password field allows login with any password since the dawn of Unix.