Re: [tlug] CentOS using default/blank? password postgres

["Ian Barwick" <barwick@example.com>]

2008/8/22 Christian Horn <chorn@example.com>:
> On Thu, Aug 21, 2008 at 03:24:20PM +0900, Hung Nguyen Vu wrote:
>>
>> My friend's CentOS 5.2 got hit by a scan and the bad guy was in.
>>
>> postgres pts/1        Wed Aug 20 08:45 - 08:54  (00:08)
>> host20-31-dynamic.52-82-r.retail.telecomitalia.it
>> postgres pts/1        Wed Aug 20 08:17 - 08:40  (00:23)     121.14.139.26
>>
>> I am not sure if CentOS mentions this issue at any point but at least,
>> during the installation of postgres,
>> he was not informed that he had to change the password of  user postgres.
>
> At least the upstream from redhat has no linux-password set for user
> postgres by default:
>
> # grep postgre /etc/shadow
> postgres:!!:14098::::::
> # cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 5.2 (Tikanga)
>
> Wondering what could drive centos-people to set a password..

Most of the system users don't have a password set, but then they also
don't have a valid login shell. The postgres user is  an exception.

However, on the RedHat / CentOS machines I have access to (and IIRC
pretty much any recent OS using sshd), "PermitEmptyPasswords no" is
the default in sshd_config. Anyone who takes the trouble to change
that for whatever reason (if that was the case) is asking for
problems.


Ian Barwick