On Mon, Nov 25, 2019 at 2:26 PM Ben Cotton <bcotton(a)redhat.com> wrote:
https://fedoraproject.org/wiki/Changes/DisallowEmptyPasswordsByDefault
== Summary ==
Remove ''nullok'' parameter from pam_unix module in default PAM
configuration in order to disallow authentication with empty password.
How difficult is it to apply this change (disallow authentication for
user with empty password) to only root and users in the wheel group?
i.e. permit empty password standard users (not in wheel)?
Current default configuration allows users to login with an empty
password by setting nullok parameter to pam_unix module. This affects
only logins to local machine, it does not affect ssh logins as this
must be explicitly allowed in sshd_config. We want to disallow empty
password by default for local logins as well to improve system
hardening.
At least out of the box on Fedora Workstation it's non-trivial to get
into this situation, you have to know what you're doing. The root user
has sp_pwdp set to ! and neither GNOME Initial Setup nor the GNOME
Settings: Users panel permits an empty passphrase.
Anyway, there is also a lot of other implied work with this feature
that I wonder if feature owners should evaluate the implications of a
possible future adoption of systemd-homed? That's a new feature in
systemd-244, and is something the Workstation WG is evaluating as part
of enabling user home encryption by default. The main thing
systemd-homed brings to the table is a cleaner authentication
paradigm, with user home encryption as a (recommended) option which
systemd-homed also manages. I'll start a separate thread about homed,
but since it touches on authentication and so does this feature
proposal, I think it's relevant to bring attention to it.
--
Chris Murphy