Re: Fedora 32 System-Wide Change proposal: Disallow Empty Password By Default

Kamil Paral <kparal@xxxxxxxxxx> · Tue, 26 Nov 2019 11:31:54 +0100

On Mon, Nov 25, 2019 at 10:27 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote:
https://fedoraproject.org/wiki/Changes/DisallowEmptyPasswordsByDefault

== Summary ==

Remove ''nullok'' parameter from pam_unix module in default PAM

configuration in order to disallow authentication with empty password.

== Owner ==

* Name: [[User:pbrezina| Pavel Březina]]

* Email: <pbrezina@xxxxxxxxxx>

== Detailed Description ==

Current default configuration allows users to login with an empty

password by setting nullok parameter to pam_unix module. This affects

only logins to local machine, it does not affect ssh logins as this

must be explicitly allowed in sshd_config. We want to disallow empty

password by default for local logins as well to improve system

hardening.

It makes sense to implement this functionality so that users/admins can harden their systems in this way if they prefer. But I don't think it should be the default all across Fedora. Especially in desktop space, empty passwords make sense. I think the best approach would be to provide the functionality and then let individual spins/editions enable this by default if they want (e.g. the Security spin, or Server).

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx