≡ Menu

Linux or UNIX disable null passwords

Q. How do I disabling logins for user with null passwords?

A. PAM (pluggable authentication modules) is used by both Unixish (Solaris/BSD/AIX/HP-UX) oses and Linux for configuring authentication related services.

A null password allows users to log onto a system without having to supply a valid password. This is a security risk to the system. In case if you are wondering how to setup null password, try command usermod as follows:

# usermod -p “” username

The PAM configuration option that enables null passwords is the nullok module argument passed to pam_unix.so PAM module. You’ll want to remove this argument from any modules of auth type for services that allow login.

Debian Linux

Debian Linux use following two files:

  • /etc/pam/common-auth: authentication settings common to all services
  • /etc/pam.d/common-password: password-related modules common to all services

Caution: before modifying below mentioned PAM config files, make the backup of files using cp command.

a) Open /etc/pam/common-auth:

# cp /etc/pam/common-auth /etc/pam/common-auth.ORI
# vi /etc/pam/common-auth

Find out line that read as follows:

password required pam_unix.so nullok obscure min=4 max=8 md5

Remove nullok from above line so that it read as follows:

password required pam_unix.so obscure min=4 max=8 md5

b) Save the file and exit to shell prompt. Open file /etc/pam.d/common-password:

# cp /etc/pam.d/common-password /etc/pam.d/common-password.ORI
# vi /etc/pam.d/common-password

Find out line that read as follows:

auth required pam_unix.so nullok_secure

Remove nullok_secure from above line so that it read as follows:

auth required pam_unix.so

Save the file and exit to shell prompt. Now no one be able to login using null password.

Red Hat / Fedora Linux

You need to modify single file /etc/pam.d/system-auth:

# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.ORI
# vi /etc/pam.d/system-auth

Find out line that read as follows:

auth sufficient /lib/security/pam_unix.so likeauth nullok

Remove nullok from above line so that it read as follows:

auth sufficient /lib/security/pam_unix.so likeauth

Save the file.

See also:

Share this on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:



{ 3 comments… add one }
  • William Lerner May 19, 2011, 6:09 pm

    I believe that the use of nullok does not allow users to login with blank passwords. A typical pam_unix.so usage which includes the ‘min’ argument after the nullok argument negates the use of blank passwords. The nullok argument is in place for user accounts that do not have a password, but require access to a service.

  • Sunil Bhoi December 28, 2013, 3:37 pm

    Hello,

    I have remove the word nullok and save the file. However I am still able to set black password for the user. any service need to be restarted ?

    Regards,
    Sunil Bhoi

  • Anonymous User January 7, 2014, 10:28 pm

    Works great, thanks. Just 1 type:
    The second line under Ubuntu should be

    /etc/pam.d/common-auth
    you are missing the “.d”

Leave a Comment