debian/NEWS: Mention new login behaviour regarding empty password field

Also set PREVENT_NO_AUTH in shipped login.defs accordingly.
2021-11-07 21:59:50 +01:00
parent 0246ee1e32
commit 600860fd1b
2 changed files with 18 additions and 0 deletions
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+shadow (1:4.9-1) UNRELEASED; urgency=medium
+
+  Login now prevents an empty password field to be interpreted as
+  "no authentication required" for UID 0 (root account).
+  The historical default of letting all users with empty password field
+  in without authentication can be restored in /etc/login.defs setting
+  PREVENT_NO_AUTH to "no".
+
+ -- Balint Reczey <balint@balintreczey.hu>  Sun, 07 Nov 2021 21:51:46 +0100
+
 shadow (1:4.7-1) unstable; urgency=medium

  * /etc/securetty is no longer shipped by this package and it is no longer
--- a/debian/login.defs
+++ b/debian/login.defs
@@ -321,6 +321,14 @@ NONEXISTENT	/nonexistent
 #
 #GRANT_AUX_GROUP_SUBIDS yes

+#
+# Prevents an empty password field to be interpreted as "no authentication
+# required".
+# Set to "yes" to prevent for all accounts
+# Set to "superuser" to prevent for UID 0 / root (default)
+# Set to "no" to not prevent for any account (dangerous, historical default)
+PREVENT_NO_AUTH superuser
+
 ################# OBSOLETED BY PAM ##############
 #						#
 # These options are now handled by PAM. Please	#