Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PAM: Should nullok removed from password also? #64

Open
pyllyukko opened this issue Dec 20, 2019 · 5 comments
Open

PAM: Should nullok removed from password also? #64

pyllyukko opened this issue Dec 20, 2019 · 5 comments
Labels
PAM Linux-PAM related

Comments

@pyllyukko
Copy link
Owner

pyllyukko commented Dec 20, 2019
edited
Loading

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-hardening_your_system_with_tools_and_services#sect-Security_Guide-Workstation_Security-Account_Locking:

To disable the nullok option, remove the nullok string from configuration files in the /etc/pam.d/ directory, such as /etc/pam.d/system-auth or /etc/pam.d/password-auth.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pam_configuration_files#Sample_PAM_Configuration_Files:

The argument nullok instructs the module to allow the user to change their password from a blank password, otherwise a null password is treated as an account lock.
@pyllyukko pyllyukko added the PAM Linux-PAM related label Dec 20, 2019
@pyllyukko
Copy link
Owner Author

https://www.linuxquestions.org/questions/slackware-14/user-without-a-password-4175675708/#post6126043

@pyllyukko
Copy link
Owner Author

PAM_UNIX(8) has an example with password:

password   required   pam_unix.so use_authtok nullok yescrypt

https://github.com/linux-pam/linux-pam/blob/cf2fc5ff7b4a8555fda2a5ebe5f6ab0e45c22996/modules/pam_unix/pam_unix_passwd.c#L562-L564 complains that "No password has been supplied."

@pyllyukko
Copy link
Owner Author

Somewhat related: 9d7cda3

@pyllyukko
Copy link
Owner Author

https://github.com/linux-pam/linux-pam/blob/ea980d991196df67cdd56b3f65d210b73218d08a/modules/pam_unix/pam_unix_passwd.c#L665-L669:

/*
 * This is not an AUTH module!
 */
if (on(UNIX__NONULL, ctrl))
	set(UNIX__NULLOK, ctrl);

@pyllyukko
Copy link
Owner Author

Disabling logins for user with null passwords:

You'll want to remove this argument from any modules of 'auth' type for services that allow login.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
PAM Linux-PAM related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pyllyukko