Prevent login to accounts with empty password

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 10

Issue

  • Will nullok option allow users to login without entering a password?

    # cat password-auth  | grep nullok
auth       sufficient               pam_unix.so nullok
password   sufficient               pam_unix.so sha512 shadow nullok use_authtok

  • How to disallow console login without password?

  • User account without a password is able to login from console, as log message recorded in /var/log/secure:

    login[1671]: pam_unix(login:auth): user [bob] has blank password; authenticated without it
login[1671]: pam_unix(login:session): session opened for user bob by LOGIN(uid=0)
login[1671]: LOGIN ON tty1 BY bob

  • One of below items is returned by security scanner:

    • The system must not have accounts configured with blank or null passwords (V-71937)
    • RHEL 8 must not allow blank or null passwords in the system-auth file (V-244540)
    • RHEL 8 must not allow blank or null passwords in the password-auth file (V-244541)
    • RHEL 9 must not have accounts configured with blank or null passwords.(V-258120)
    • RHEL 9 must not allow blank or null passwords. (V-258094)

Resolution

RHEL8/RHEL9

  • RHEL8 and RHEL9 use authselect to manage PAM files. Run below command to remove nullok option:

    authselect enable-feature without-nullok

RHEL7

  • Remove nullok option manually in /etc/pam.d/password-auth and /etc/pam.d/system-auth. Replace below line: 

    auth     sufficient     pam_unix.so nullok try_first_pass

    with:

    auth     sufficient     pam_unix.so try_first_pass

Root Cause

  • RHEL does not allow users to login without a password out-of-box.

  • In addition, ordinary users are prohibited to remove their password, or set an empty password.

  • The nullok option allow one to login with no password only if the password field (second field in /etc/shadow file) is empty. i.e. user without password is allowed to login via console. This is a default out-of-box behaviour.

  • nullok option is specified in default installation.

    # man pam_unix

nullok
   The default action of this module is to not permit the user access
   to a service if their official password is blank. The nullok
   argument overrides this default.

  • The command line tools used to add users make sure the user accounts are locked by default (the second
    field of shadow would contain either '!!' or '*'. This would be replaced with a password when root sets a password for the user. The password field would be empty only if root removes the password (passwd -d <user>) or unlock an account with no password.

  • Therefore, removing the nullok option from pam_unix.so module would make sure the users wont be able to login even if the password field is empty, as explained above, while the users with a password are not affected at all from this action.

  • In contrast, default out-of-box behaviour of SSH is to deny empty password authentication.

    # cat /etc/ssh/sshd_config | grep -i PermitEmptyPasswords
#PermitEmptyPasswords no

  • It is advisable to protect user account with password.

Diagnostic Steps

  • nullok option in pam_unix allows user login with empty password:

       # cat /etc/pam.d/password-auth | grep nullok
   auth     sufficient     pam_unix.so nullok try_first_pass

   # cat /etc/pam.d/system-auth | grep nullok
   auth     sufficient     pam_unix.so nullok try_first_pass
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.