Disable null passwords

By default, the PAM configuration files in Linux allow for null or empty passwords due to the nullok feature. From the manpage,

# man pam_unix
nullok
        The default action of this module is to not permit the user access to a service if their official password is blank. The nullok argument overrides this default.

The nullok option allows users to bypass password login when the empty string is set in the password field for a user in /etc/shadow. In order for this to be disabled, the string will need to be removed from /etc/pam.d/system-auth and/or /etc/pam.d/password-auth.

# grep nullok /etc/pam.d/system-auth
auth        sufficient    pam_unix.so nullok try_first_pass
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

# grep nullok /etc/pam.d/password-auth
auth        sufficient    pam_unix.so nullok try_first_pass
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

Fortunately for sshd, this is disabled by default within the sshd_config.

# man sshd_config
PermitEmptyPasswords
             When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is no.

Before disabling nullok, we will test by creating a user with an empty password.

# useradd -p U6aMy0wojraho testuser

The password set as U6aMy0wojraho is the hash for the empty string and what will be placed in /etc/shadow.

# grep testuser /etc/shadow
testuser:U6aMy0wojraho:18729:0:99999:7:::

First, verify you are unable to login using ssh. Just hit <enter> when prompted for the password.

# ssh -l testuser c1.networklogician.com
testuser@c1.networklogician.com's password: 
Permission denied, please try again.
testuser@c1.networklogician.com's password: 
Permission denied, please try again.
testuser@c1.networklogician.com's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

But for other services, access will be allowed. In this case, we will test using telnet. Just hit <enter> when prompted for the password.

# telnet c1.networklogician.com
Trying 10.10.10.11...
Connected to 10.10.10.11.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 8.1 (Ootpa)
Kernel 4.18.0-147-52.16.1.el6.x86_64 on an x86_64
c1.networklogician.com login: testuser
Password: 
[testuser@c1.networklogician.com ~]$ id
uid=507(testuser) gid=507(testuser) groups=507(testuser)
[testuser@c1.networklogician.com ~]$ exit
logout

Now, remove nullok from /etc/pam.d/system-auth and/or /etc/pam.d/password-auth and test the connection again using telnet.

# telnet c1.networklogician.com
Trying 10.10.10.11...
Connected to 10.10.10.11.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 8.1 (Ootpa)
Kernel 4.18.0-147-52.16.1.el6.x86_64 on an x86_64
c1.networklogician.com login: testuser
Password: 
Login incorrect

c1.networklogician.com login: testuser
Password:
Login incorrect

c1.networklogician.com login: testuser
Password: 
Login incorrect
Connection closed by foreign host.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s