Post Syndicated from corbet original http://lwn.net/Articles/688235/rss
For those who are curious about how the CoreOS remote SSH vulnerability
came to be, the company has posted a
detailed report. “This misconfiguration was abetted by
confirmation bias. The expected outcome of the change to the CoreOS PAM
configuration was for users who presented a password present in an
authentication database to be successfully authenticated. Because of the
pam_permit failure case explained above, this was the observed behavior in
testing, so the change was assumed to be correct. No attempt was made to
determine whether the observed behavior could be explained in some other
way, such as the system allowing any presented password.”