Need to remove nullok from system-auth-ac
I am interested in finding out how to remove nullok from the system-auth-ac file. I work indirectly for the DLA and it is a catagory I security violation to allow null passwords. Since this file gets autogenerated each time authconfig is run, how can I make it so that whenever it is run it doesn't include the nullok in the line:
password sufficient pam_unix.so sha=512 shadow nullok try_first_pass use_authtok
How is system-auth-ac generated?
Does it start from a template?
Thanks
Responses
If you remove "nullok" from system-auth{-ac} file then, authconfig will not add it. (authconfig checks whether the entry is present or not and preserves your current settings for "nullok".
If you are using RHEL6, then you have to remove it from password-auth as well.
Authconfig comprises a set of python scripts in /usr/share/authconfig/. As stated above, the tool (the authinfo.py script to be more specific) checks for the existence of the "nullok" argument, and uses that result to determine whether or not any new auto-generated /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac files should contain the argument. It is a little more complicated than that, because the program logic might never even make it to that check if no required change(s) to the pam_unix.so line is detected. In the end, it is safe to remove the "nullok" argument by hand as a result of the check. This was tested in RHEL7.3.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.