diff --git a/lib/libpam/libpam/security/pam_mod_misc.h b/lib/libpam/libpam/security/pam_mod_misc.h index 08c9c1ab8f56..ff0cdc2dc8ea 100644 --- a/lib/libpam/libpam/security/pam_mod_misc.h +++ b/lib/libpam/libpam/security/pam_mod_misc.h @@ -37,6 +37,7 @@ * Common option names */ #define PAM_OPT_NULLOK "nullok" +#define PAM_OPT_EMPTYOK "emptyok" #define PAM_OPT_AUTH_AS_SELF "auth_as_self" #define PAM_OPT_ECHO_PASS "echo_pass" #define PAM_OPT_DEBUG "debug" diff --git a/lib/libpam/modules/pam_unix/pam_unix.8 b/lib/libpam/modules/pam_unix/pam_unix.8 index 1345e82296c0..03f8feaf4ba9 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.8 +++ b/lib/libpam/modules/pam_unix/pam_unix.8 @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 20, 2009 +.Dd April 3, 2020 .Dt PAM_UNIX 8 .Os .Sh NAME @@ -116,6 +116,16 @@ privileges), the option may cause .Nm to allow any user to log in with any password. +.It Cm emptyok +If the password database contains the password for the entity being +authenticated, but the password matches an empty string, +then this option will forgo password prompting, and +silently allow authentication to succeed. +.Pp +The difference between this and +.Cm nullok +is that it avoids prompting for password when the password is set +to an empty string, as opposed to not being set. .It Cm local_pass Use only the local password database, even if NIS is in use. This will cause an authentication failure if the system is configured diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c index ecdd10772155..29588f0af1ea 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.c +++ b/lib/libpam/modules/pam_unix/pam_unix.c @@ -94,6 +94,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, struct passwd *pwd; int retval; const char *pass, *user, *realpw, *prompt; + const char *emptypasswd = ""; if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { user = getlogin(); @@ -116,6 +117,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, PAM_LOG("Password is empty, using fake password"); realpw = "*"; } + /* + * Check whether the saved password hash matches the one + * generated from an empty password - as opposed to empty + * saved password hash, which is handled above. + */ + if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && + openpam_get_option(pamh, PAM_OPT_EMPTYOK) && + strcmp(crypt(emptypasswd, realpw), realpw) == 0) + return (PAM_SUCCESS); lc = login_getpwclass(pwd); } else { PAM_LOG("Doing dummy authentication");