On Mon, Nov 25, 2019 at 2:26 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote: > > https://fedoraproject.org/wiki/Changes/DisallowEmptyPasswordsByDefault > > == Summary == > Remove ''nullok'' parameter from pam_unix module in default PAM > configuration in order to disallow authentication with empty password. How difficult is it to apply this change (disallow authentication for user with empty password) to only root and users in the wheel group? i.e. permit empty password standard users (not in wheel)? > Current default configuration allows users to login with an empty > password by setting nullok parameter to pam_unix module. This affects > only logins to local machine, it does not affect ssh logins as this > must be explicitly allowed in sshd_config. We want to disallow empty > password by default for local logins as well to improve system > hardening. At least out of the box on Fedora Workstation it's non-trivial to get into this situation, you have to know what you're doing. The root user has sp_pwdp set to ! and neither GNOME Initial Setup nor the GNOME Settings: Users panel permits an empty passphrase. Anyway, there is also a lot of other implied work with this feature that I wonder if feature owners should evaluate the implications of a possible future adoption of systemd-homed? That's a new feature in systemd-244, and is something the Workstation WG is evaluating as part of enabling user home encryption by default. The main thing systemd-homed brings to the table is a cleaner authentication paradigm, with user home encryption as a (recommended) option which systemd-homed also manages. I'll start a separate thread about homed, but since it touches on authentication and so does this feature proposal, I think it's relevant to bring attention to it. -- Chris Murphy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
