System Administration
Showing results for 
Search instead for 
Did you mean: 

RHEL4.8 how to allow a null password

Go to solution
Matt Shaffer_1
Regular Advisor

RHEL4.8 how to allow a null password

We run a cobol app on top of our RHEL OS. The app has it's own security(login/password combo) so I want to allow for a null OS password or maybe what I want is to skip the OS password all together. I've been trying different things in pam.d but haven't had success. Any ideas? Thanks.
Goran Koruga
Honored Contributor

Re: RHEL4.8 how to allow a null password


Did you try "nullok" option for pam_unix module?

Matt Shaffer_1
Regular Advisor

Re: RHEL4.8 how to allow a null password

Maybe I should be more specific. I am telneting as a root user. Below is some detail:

B0010-> grep -l nullok *

B0010-> cat system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/
auth sufficient /lib/security/$ISA/ likeauth nullok
auth required /lib/security/$ISA/

account required /lib/security/$ISA/

password required /lib/security/$ISA/ retry=3
password sufficient /lib/security/$ISA/ nullok use_authtok md5
password required /lib/security/$ISA/

session required /lib/security/$ISA/
session required /lib/security/$ISA/

thanks for the help
Steven E. Protter
Exalted Contributor

Re: RHEL4.8 how to allow a null password


Look at the user profiles of bin and some of the daemons in /etc/passwd

Perhaps you could duplicate one of them, change the UID and GID and get something that is never used for login.

Or you can start this product as follows:

/bin/su - c username "command to start daemon"

This would if run by root bypass the OS password.

It would require root access, but an admin or cron can do the job.

Steven E Protter
Owner of ISN Corporation
Goran Koruga
Honored Contributor

Re: RHEL4.8 how to allow a null password

Ahh check logs, I suspect your problem is "securetty" - a message in logfiles will confirm it.

Honored Contributor

Re: RHEL4.8 how to allow a null password

I once did something similar by configuring telnetd to start a custom script instead of a "login" program. That script would then setup the necessary environment and then use "su - username command" to start the application as a specific user dedicated to that purpose.

Of course, there is the side effect that you cannot use the same port for normal logins at all: any telnet login is automatically directed to the application instead.

You *could* choose to dedicate telnetd for the use of this COBOL application only, and use SSH or other login methods for system administration. Or you could set up a second copy of telnetd in a custom port: in that case it's your choice whether you put the regular telnet access or the application-customized version to the custom port.

To create a second copy of the telnet service:
1.) Assign a service name for your custom port in /etc/services, for example:

customtelnet 2323/tcp

2.) Copy the telnet service configuration file and edit its service definition to
refer to your custom service name:

cp /etc/xinetd.d/telnet /etc/xinetd.d/customtelnet

edit /etc/xinetd.d/customtelnet to change the "service telnet" line to "service customtelnet"

3.) run "service xinetd restart" or send a HUP signal to the xinetd process.

To make the telnet service start your application (or its startup script, if necessary):
1.) edit the telnet service definition in /etc/xinetd.d (either the standard or custom one, your choice) to add a "server_args" line to the service definition.

For example:
service telnet
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
server_args = -L /usr/local/bin/your-app-startup-script
log_on_failure += USERID
disable = no

(Note: with a quick reading of telnetd man page, it looks like you may have to add the "-a off" option to the server_args line too. I don't have a RHEL4 machine I could use for testing this at the moment, so you'll have to check it yourself.)

(Note 2: changing the "user" line in the xinetd service definition to an application-dedicated userid would probably be more secure than using su in application startup script. But that may require some extra care in setting up the shell environment before starting up the application.)

Matt Shaffer_1
Regular Advisor

Re: RHEL4.8 how to allow a null password

Thanks to all for the suggestions. I think the mark is being missed though. Here is some more explanation. I need to be able to telnet as root (with root password) and get to the command line. And also telnet as super (root ID) with super password and go right into app. I've run passwd -d super to delete password but that didn't work. I moved super to top of /etc/passwd and moved root to second line. I am able to telnet as root but can't as super. I try to enter the app password but it isn't taking. Below are the /etc/passwd entries.


thanks to all
Matt Shaffer_1
Regular Advisor

Re: RHEL4.8 how to allow a null password

Here are 2 lines from /var/log/messages.

Jul 17 09:45:20 B0010 remote(pam_unix)[7842]: authentication failure; logname= u
id=0 euid=0 tty=pts/1 ruser= user=super
Jul 17 09:45:22 B0010 login[7842]: FAILED LOGIN 1 FROM mshaffer-laptop.wescodist
.com FOR super, Authentication failure

Jul 17 09:47:47 B0010 remote(pam_unix)[7845]: session opened for user root by (u
Jul 17 09:47:47 B0010 -- root[7845]: ROOT LOGIN ON pts/1 FROM mshaffer-laptop.w
Jul 17 09:59:50 B0010 remote(pam_unix)[7845]: session closed for user root