Q. How do I disabling logins for user with null passwords?
A. PAM (pluggable authentication modules) is used by both Unixish (Solaris/BSD/AIX/HP-UX) oses and Linux for configuring authentication related services.
A null password allows users to log onto a system without having to supply a valid password. This is a security risk to the system. In case if you are wondering how to setup null password, try command usermod as follows:
# usermod -p "" username
The PAM configuration option that enables null passwords is the nullok module argument passed to pam_unix.so PAM module. You'll want to remove this argument from any modules of auth type for services that allow login.
Debian Linux
Debian Linux use following two files:
- /etc/pam/common-auth: authentication settings common to all services
- /etc/pam.d/common-password: password-related modules common to all services
Caution: before modifying below mentioned PAM config files, make the backup of files using cp command.
a) Open /etc/pam/common-auth:
# cp /etc/pam/common-auth /etc/pam/common-auth.ORI
# vi /etc/pam/common-auth
Find out line that read as follows:
password required pam_unix.so nullok obscure min=4 max=8 md5
Remove nullok from above line so that it read as follows:
password required pam_unix.so obscure min=4 max=8 md5
b) Save the file and exit to shell prompt. Open file /etc/pam.d/common-password:
# cp /etc/pam.d/common-password /etc/pam.d/common-password.ORI
# vi /etc/pam.d/common-password
Find out line that read as follows:
auth required pam_unix.so nullok_secure
Remove nullok_secure from above line so that it read as follows:
auth required pam_unix.so
Save the file and exit to shell prompt. Now no one be able to login using null password.
Red Hat / Fedora Linux
You need to modify single file /etc/pam.d/system-auth:
# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.ORI
# vi /etc/pam.d/system-auth
Find out line that read as follows:
auth sufficient /lib/security/pam_unix.so likeauth nullok
Remove nullok from above line so that it read as follows:
auth sufficient /lib/security/pam_unix.so likeauth
Save the file.
See also:
- Official Linux PAM documentation
- Linux set default password expiry for all new users
- Please consult man pages of usermod and passwd
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- 10 Greatest Open Source Software Of 2009
- My 10 UNIX Command Line Mistakes
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
- Email this to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: May/14/2006
{ 0 comments… add one now }