Prevent login to accounts with empty password

Solution Verified - Updated -

Issue

  • Will nullok option allow users to login without entering a password?

    # cat password-auth  | grep nullok
auth       sufficient               pam_unix.so nullok
password   sufficient               pam_unix.so sha512 shadow nullok use_authtok

  • How to disallow console login without password?

  • User account without a password is able to login from console, as log message recorded in /var/log/secure:

    login[1671]: pam_unix(login:auth): user [bob] has blank password; authenticated without it
login[1671]: pam_unix(login:session): session opened for user bob by LOGIN(uid=0)
login[1671]: LOGIN ON tty1 BY bob

  • One of below items is returned by security scanner:

    • The system must not have accounts configured with blank or null passwords (V-71937)
    • RHEL 8 must not allow blank or null passwords in the system-auth file (V-244540)
    • RHEL 8 must not allow blank or null passwords in the password-auth file (V-244541)

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content