On Tuesday, November 26, 2019 3:31:54 AM MST Kamil Paral wrote: > On Mon, Nov 25, 2019 at 10:27 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote: > > https://fedoraproject.org/wiki/Changes/DisallowEmptyPasswordsByDefault > > > > == Summary == > > Remove ''nullok'' parameter from pam_unix module in default PAM > > configuration in order to disallow authentication with empty password. > > > > == Owner == > > * Name: [[User:pbrezina| Pavel Březina]] > > * Email: <pbrezina@xxxxxxxxxx> > > > > == Detailed Description == > > > > Current default configuration allows users to login with an empty > > password by setting nullok parameter to pam_unix module. This affects > > only logins to local machine, it does not affect ssh logins as this > > must be explicitly allowed in sshd_config. We want to disallow empty > > password by default for local logins as well to improve system > > hardening. > > It makes sense to implement this functionality so that users/admins can > harden their systems in this way if they prefer. But I don't think it > should be the default all across Fedora. Especially in desktop space, empty > passwords make sense. I think the best approach would be to provide the > functionality and then let individual spins/editions enable this by default > if they want (e.g. the Security spin, or Server). Let me clarify something I said earlier in this thread. I don't believe anyone should be using empty passwords. That said, I know that there's no way I can convince certain people to use a password, and those people would still like to be able to use Fedora without having to learn pam configuration. I don't believe that empty passwords make sense in any case. -- John M. Harris, Jr. Splentity _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
