Q. How do I disabling logins for user with null passwords?
A. PAM (pluggable authentication modules) is used by both Unixish (Solaris/BSD/AIX/HP-UX) oses and Linux for configuring authentication related services.
A null password allows users to log onto a system without having to supply a valid password. This is a security risk to the system. In case if you are wondering how to setup null password, try command usermod as follows:
# usermod -p "" username
The PAM configuration option that enables null passwords is the nullok module argument passed to pam_unix.so PAM module. You'll want to remove this argument from any modules of auth type for services that allow login.
Debian Linux
Debian Linux use following two files:
- /etc/pam/common-auth: authentication settings common to all services
- /etc/pam.d/common-password: password-related modules common to all services
Caution: before modifying below mentioned PAM config files, make the backup of files using cp command.
a) Open /etc/pam/common-auth:
# cp /etc/pam/common-auth /etc/pam/common-auth.ORI
# vi /etc/pam/common-auth
Find out line that read as follows:
password required pam_unix.so nullok obscure min=4 max=8 md5
Remove nullok from above line so that it read as follows:
password required pam_unix.so obscure min=4 max=8 md5
b) Save the file and exit to shell prompt. Open file /etc/pam.d/common-password:
# cp /etc/pam.d/common-password /etc/pam.d/common-password.ORI
# vi /etc/pam.d/common-password
Find out line that read as follows:
auth required pam_unix.so nullok_secure
Remove nullok_secure from above line so that it read as follows:
auth required pam_unix.so
Save the file and exit to shell prompt. Now no one be able to login using null password.
Red Hat / Fedora Linux
You need to modify single file /etc/pam.d/system-auth:
# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.ORI
# vi /etc/pam.d/system-auth
Find out line that read as follows:
auth sufficient /lib/security/pam_unix.so likeauth nullok
Remove nullok from above line so that it read as follows:
auth sufficient /lib/security/pam_unix.so likeauth
Save the file.
See also:
- Official Linux PAM documentation
- Linux set default password expiry for all new users
- Please consult man pages of usermod and passwd
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 1 comment… read it below or add one }
I believe that the use of nullok does not allow users to login with blank passwords. A typical pam_unix.so usage which includes the ‘min’ argument after the nullok argument negates the use of blank passwords. The nullok argument is in place for user accounts that do not have a password, but require access to a service.