Linux or UNIX disable null passwords

Q. How do I disabling logins for user with null passwords?

A. PAM (pluggable authentication modules) is used by both Unixish (Solaris/BSD/AIX/HP-UX) oses and Linux for configuring authentication related services.

A null password allows users to log onto a system without having to supply a valid password. This is a security risk to the system. In case if you are wondering how to setup null password, try command usermod as follows:

# usermod -p “” username

The PAM configuration option that enables null passwords is the nullok module argument passed to pam_unix.so PAM module. You’ll want to remove this argument from any modules of auth type for services that allow login.

Debian Linux

Debian Linux use following two files:

  • /etc/pam/common-auth: authentication settings common to all services
  • /etc/pam.d/common-password: password-related modules common to all services

Caution: before modifying below mentioned PAM config files, make the backup of files using cp command.

a) Open /etc/pam/common-auth:

# cp /etc/pam/common-auth /etc/pam/common-auth.ORI
# vi /etc/pam/common-auth

Find out line that read as follows:

password required pam_unix.so nullok obscure min=4 max=8 md5

Remove nullok from above line so that it read as follows:

password required pam_unix.so obscure min=4 max=8 md5

b) Save the file and exit to shell prompt. Open file /etc/pam.d/common-password:

# cp /etc/pam.d/common-password /etc/pam.d/common-password.ORI
# vi /etc/pam.d/common-password

Find out line that read as follows:

auth required pam_unix.so nullok_secure

Remove nullok_secure from above line so that it read as follows:

auth required pam_unix.so

Save the file and exit to shell prompt. Now no one be able to login using null password.

Red Hat / Fedora Linux

You need to modify single file /etc/pam.d/system-auth:

# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.ORI
# vi /etc/pam.d/system-auth

Find out line that read as follows:

auth sufficient /lib/security/pam_unix.so likeauth nullok

Remove nullok from above line so that it read as follows:

auth sufficient /lib/security/pam_unix.so likeauth

Save the file.

See also:


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 3 comments so far... add one


CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
3 comments… add one
  • William Lerner May 19, 2011 @ 18:09

    I believe that the use of nullok does not allow users to login with blank passwords. A typical pam_unix.so usage which includes the ‘min’ argument after the nullok argument negates the use of blank passwords. The nullok argument is in place for user accounts that do not have a password, but require access to a service.

  • Sunil Bhoi Dec 28, 2013 @ 15:37

    Hello,

    I have remove the word nullok and save the file. However I am still able to set black password for the user. any service need to be restarted ?

    Regards,
    Sunil Bhoi

  • Anonymous User Jan 7, 2014 @ 22:28

    Works great, thanks. Just 1 type:
    The second line under Ubuntu should be

    /etc/pam.d/common-auth
    you are missing the “.d”

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum