Re: Surprise null root password
- In reply to: bob prohaska : "Surprise null root password"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 30 May 2023 19:36:47 UTC
W dniu 26.05.2023 o 19:35, bob prohaska pisze:
> While going through normal security email from a Pi2
> running -current I was disturbed to find:
>
> Checking for passwordless accounts:
> root::0:0::0:0:Charlie &:/root:/bin/sh
This thread reminded me of another issue with passwords I encountered a
few years ago.
Setting stronger passwords by users can be enforced by pam_passwdqc(8).
But if the password expiration policy is enabled, it doesn't work since
the password change for expired passwords is called by ssh or login PAM
module, thus to enforce stronger passwords for users with passwords
expired pam_passwdqc should be added also to both:
/etc/pam.d/{login,sshd}, otherwise user with an expired password just
presses return twice during the login prompt and has an empty password
set. I even have risen D27656 some time ago, but it had gained not much
interest except for some rephrasing/grammar advice.
So to use a password expiration policy and enforce high-quality
passwords together, pam_passwdqc(8) has to activated in the three:
/etc/pam.d/{login,passwd,sshd}.
Cheers
--
Marek Zarychta