I received a note recently from David Mitchell about a possible case where login may be allowed
without a password using the PAM configuration given in my LDAP authentication on Debian Sarge
howto. This was due to terminating the common-account file with
requiring the pam_permit.so module. If an authentication module listed before this returns an
error rather than a failure, pam_permit.so may proceed and allow the user to log in with invalid
credentials. Though I was not able to get into my own machines configured this way without a valid
password, I've gone ahead and updated the configs listed in that howto to use pam_deny.so to deny
access unless a previous module succeeds. If you used my howto for configuring your own machines for
LDAP auth, you might want to take a look at the updated page and
modify your PAM configuration as appropriate. Thanks, David!
