On Mon, Nov 25, 2019 at 10:27 PM Ben Cotton <bcotton(a)redhat.com> wrote:
https://fedoraproject.org/wiki/Changes/DisallowEmptyPasswordsByDefault
== Summary ==
Remove ''nullok'' parameter from pam_unix module in default PAM
configuration in order to disallow authentication with empty password.
== Owner ==
* Name: [[User:pbrezina| Pavel Březina]]
* Email: <pbrezina(a)redhat.com>
== Detailed Description ==
Current default configuration allows users to login with an empty
password by setting nullok parameter to pam_unix module. This affects
only logins to local machine, it does not affect ssh logins as this
must be explicitly allowed in sshd_config. We want to disallow empty
password by default for local logins as well to improve system
hardening.
It makes sense to implement this functionality so that users/admins can
harden their systems in this way if they prefer. But I don't think it
should be the default all across Fedora. Especially in desktop space, empty
passwords make sense. I think the best approach would be to provide the
functionality and then let individual spins/editions enable this by default
if they want (e.g. the Security spin, or Server).