|Applies To||ACE/Agent for PAM 5.3.4|
Solaris 10 SSHD
|Issue||PAM Agent Solaris 10 sshd allows SecurID challenged user with blank Unix password access without challenge|
Unix user account belongs to group configured to be SecurID challenged
Unix password has been set to blank or is empty
User enter username and is instantly granted access without challenge.
|Cause||Seems to be specific to Solaris 10 implementation of SSHD. The first method tested in the PAM chain is sshd-none, this is not handled by the standard pam.conf so it is handled by the "other" catch-all method in pam.conf. The default handler grants access to the system. This occurs before the pam chain processes sshd-kbdint, on which the securid module is triggered.|
Adding the following line to the pam.conf causes the sshd-none to be handled, which in turn forces the sshd to process the next method in the pam chain before access is granted:
sshd-none auth optional pam_deny.so.1
** This is a workaround only. The workaround appears to solve the problem but should be used with caution
Sun have published the following articles on their customer KB.
Bug ID: 5033461
|Legacy Article ID||a33049|