Fedora 32 System-Wide Change proposal: Disallow Empty Password By Default - devel (2024)

https://fedoraproject.org/wiki/Changes/DisallowEmptyPasswordsByDefault== Summary ==Remove ''nullok'' parameter from pam_unix module in default PAMconfiguration in order to disallow authentication with empty password.== Owner ==* Name: [[User:pbrezina| Pavel Březina]]* Email: <pbrezina(a)redhat.com&gt;== Detailed Description ==Current default configuration allows users to login with an emptypassword by setting nullok parameter to pam_unix module. This affectsonly logins to local machine, it does not affect ssh logins as thismust be explicitly allowed in sshd_config. We want to disallow emptypassword by default for local logins as well to improve systemhardening.Note: It is possible to disallow empty passwords with authselect call(authselect enable-feature without-nullok) or by removing nullokmanually, however it creates possible issues in other components thatmust be addressed.=== Affected Components ===* '''passwd''' - calling passwd -d to remove users password mustbedenied if empty passwords are disallowed otherwise the user will belocked out of the system* '''AccountService''' - D-Bus methods''SetPassword'' and''SetPasswordMode'' on ''org.freedesktop.Accounts.User''interface canremove user’s password and lock the user out of the system if emptypassword is disallowed. These calls must be denied in this case.Additionally, these methods can be run by normal users as opposed to''passwd -d'' and ''chage -d 0'' which can be run only byroot.Therefore only root should be able to call these methods.* '''Gnome’s Control Center''' - when creating new users, itprovidesan option to “require password to be set on first login” which createsuser with expired empty password. This would again lock the user outof the system.* '''Other Desktop Environments''' - may have the same issue asGnomeControl Center=== Solution Step by Step ======= Step 1) Provide a unified way to read if nullok is enabled or not ====We will create an authselect library call that would parse existingPAM configuration (not necessarily generated by authselect) and returnlist of enabled/disabled features. We will implement only ''nullok''feature in the scope of this change but if needed it can be extendedin the future.==== Step 2) Fix passwd -d ====Calling ''passwd -d'' to remove user's password will fail if''nullok'' is disabled.==== Step 3) Fix AccountService ====These methods on ''org.freedesktop.Accounts.User'' D-Bus interfacewill be callable only by ''root'' and must return an error if''nullok'' is disabled. SetPasswordMode SetPassword(“”, hint)==== Step 4) Fix Desktop Environments ====“Require password change on next login” must keep working. Thisfeature currently relies on setting an empty password. A new option''nullresetok'' will be implemented for ''pam_unix''module that willallow user to authenticate with empty password only if a passwordchange for this user is enforced upon login. Authentication with emptypasswords which are not expired will be prohibited (unless ''nullok''is set).==== Step 5) Update PAM configuration to disable nullok by default ====In authselect and pam components for new installations. Upgrading fromolder systems will keep nullok present.== Benefit to Fedora ==Changes in described components (Step 1 - Step 4) are necessary toimplement in order to make sure that user accounts and tools workscorrectly when authentication with empty password is disabled bysystem administrator. Changing system default to disallowauthentication with empty passwords (Step 5) improves systemhardening.== Scope ==* Proposal owners: Coordinate the work. Make sure all required changesare implemented.* Other developers: All affected component must be fixed. Changes aredescribed in ''Detailed Description''* Release engineering: [https://pagure.io/releng/issue/9038 #9038] (acheck of an impact with Release Engineering is needed) <!-- REQUIREDFOR SYSTEM WIDE CHANGES --><!-- Does this feature require coordination with release engineering(e.g. changes to installer image generation or update packagedelivery)? Is a mass rebuild required? include a link to the relengissue.The issue is required to be filed prior to feature submission, toensure that someone is on board to do any process development work andtesting, and that all changes make it into the pipeline; a bulletpoint in a change is not sufficient communication -->* Policies and guidelines: No updates needed.* Trademark approval: N/A (not needed for this Change)== Upgrade/compatibility impact ==This does not affect system upgrades because only new installationwill have changed default.== How To Test ==* Calling ''passwd -d user'' as root must fail with defaultconfiguration.* Calling ''org.freedesktop.Accounts.User.SetPassword("",hint)'' and''org.freedesktop.Accounts.User.SetPasswordMode(x)'' must fail withdefault configuration.* "require password reset on first login" must keep working whencreating users from Desktop Environment's GUI tools== User Experience ==Users will no longer be able to use empty passwords by default.== Dependencies ==None.== Contingency Plan ==* Contingency mechanism: Default behavior will not be changed.* Contingency deadline: Beta* Blocks release? No* Blocks product? No== Documentation ==-- Ben CottonHe / Him / HisFedora Program ManagerRed HatTZ=America/Indiana/Indianapolis