From nobody@FreeBSD.org  Thu Jun 30 15:03:15 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4CDDD16A41C
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Jun 2005 15:03:15 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 391D443D1F
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Jun 2005 15:03:15 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j5UF3EKH028812
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 30 Jun 2005 15:03:14 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j5UF3EH0028810;
	Thu, 30 Jun 2005 15:03:14 GMT
	(envelope-from nobody)
Message-Id: <200506301503.j5UF3EH0028810@www.freebsd.org>
Date: Thu, 30 Jun 2005 15:03:14 GMT
From: Wolfgang Lausenbart <u@netbeisser.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: no problem, but little addon for /etc/periodic/400.passwdless
X-Send-Pr-Version: www-2.3

>Number:         82823
>Category:       conf
>Synopsis:       [patch] little addon for /etc/periodic/400.passwdless
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 30 15:10:02 GMT 2005
>Closed-Date:    
>Last-Modified:  Sun Oct 23 23:11:18 GMT 2005
>Originator:     Wolfgang Lausenbart
>Release:        FreeBSD 5.4
>Organization:
netbeisser.de
>Environment:
FreeBSD5.4  
>Description:
--- 400.passwdless.backup	Wed Jun 29 19:21:24 2005
+++ 400.passwdless	Wed Jun 29 19:22:10 2005
@@ -45,4 +45,16 @@
     *)	rc=0;;
 esac
 
+#exit "$rc"
+

+case "$daily_status_security_passwdless_enable" in
+#this needs to be defined first
+#case "$daily_status_security_pam_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo 'Checking for weak pam configuration:'
+	grep 'optional' /etc/pam.d/* | grep -v '#' | grep -v README;;
+	
+   *)  rc=0;;
+esac
+
 exit "$rc"


>How-To-Repeat:
      Just goto /etc/pam.d/ and replace 
      "auth required" with "auth optional" a.s.f. 
      and local users could login without
      password. I think it is good style to check
      for this.

>Fix:
      not critical, but apply if you want.
>Release-Note:
>Audit-Trail:
>Unformatted:
