Linux or UNIX disable null passwords

by on May 15, 2006 · 3 comments· LAST UPDATED May 14, 2006

in , ,

Q. How do I disabling logins for user with null passwords?

A. PAM (pluggable authentication modules) is used by both Unixish (Solaris/BSD/AIX/HP-UX) oses and Linux for configuring authentication related services.

A null password allows users to log onto a system without having to supply a valid password. This is a security risk to the system. In case if you are wondering how to setup null password, try command usermod as follows:

# usermod -p "" username

The PAM configuration option that enables null passwords is the nullok module argument passed to pam_unix.so PAM module. You'll want to remove this argument from any modules of auth type for services that allow login.

Debian Linux

Debian Linux use following two files:

  • /etc/pam/common-auth: authentication settings common to all services
  • /etc/pam.d/common-password: password-related modules common to all services

Caution: before modifying below mentioned PAM config files, make the backup of files using cp command.

a) Open /etc/pam/common-auth:

# cp /etc/pam/common-auth /etc/pam/common-auth.ORI
# vi /etc/pam/common-auth

Find out line that read as follows:

password required pam_unix.so nullok obscure min=4 max=8 md5

Remove nullok from above line so that it read as follows:

password required pam_unix.so obscure min=4 max=8 md5

b) Save the file and exit to shell prompt. Open file /etc/pam.d/common-password:

# cp /etc/pam.d/common-password /etc/pam.d/common-password.ORI
# vi /etc/pam.d/common-password

Find out line that read as follows:

auth required pam_unix.so nullok_secure

Remove nullok_secure from above line so that it read as follows:

auth required pam_unix.so

Save the file and exit to shell prompt. Now no one be able to login using null password.

Red Hat / Fedora Linux

You need to modify single file /etc/pam.d/system-auth:

# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.ORI
# vi /etc/pam.d/system-auth

Find out line that read as follows:

auth sufficient /lib/security/pam_unix.so likeauth nullok

Remove nullok from above line so that it read as follows:

auth sufficient /lib/security/pam_unix.so likeauth

Save the file.

See also:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 3 comments… read them below or add one }

1 William Lerner May 19, 2011 at 6:09 pm

I believe that the use of nullok does not allow users to login with blank passwords. A typical pam_unix.so usage which includes the ‘min’ argument after the nullok argument negates the use of blank passwords. The nullok argument is in place for user accounts that do not have a password, but require access to a service.

Reply

2 Sunil Bhoi December 28, 2013 at 3:37 pm

Hello,

I have remove the word nullok and save the file. However I am still able to set black password for the user. any service need to be restarted ?

Regards,
Sunil Bhoi

Reply

3 Anonymous User January 7, 2014 at 10:28 pm

Works great, thanks. Just 1 type:
The second line under Ubuntu should be

/etc/pam.d/common-auth
you are missing the “.d”

Reply

Leave a Comment

Previous post:

Next post: