Profile Applicability:
• Level 1
Description:
The nullok option in the pam_unix module allows users to authenticate with empty (null) passwords. Removing this option ensures that null passwords are not accepted, strengthening authentication security.
Rationale:
Disabling nullok prevents the use of empty passwords, reducing the risk of unauthorized access due to weak or blank passwords.
Impact:
Pros:
Enforces that users must have non-empty passwords.
Enhances system security by preventing trivial authentications.
Cons:
May cause authentication failures if any accounts rely on null passwords (which is insecure and not recommended).
Default Value:
The nullok option is sometimes included by default, depending on system configuration.
Pre-requisites:
Root or sudo privileges to modify PAM configuration files.
Remediation:
Test Plan:
Using Linux command line:
- Check PAM configuration files (e.g., /etc/pam.d/system-auth or /etc/pam.d/common-auth) for pam_unix and nullok:
grep pam_unix /etc/pam.d/system-auth grep nullok /etc/pam.d/system-auth grep pam_unix /etc/pam.d/common-auth grep nullok /etc/pam.d/common-auth
Verify if the nullok option is present.
Implementation Plan:
Using Linux command line:
1. Edit PAM configuration files to remove nullok from pam_unix lines:
vi /etc/pam.d/system-auth
2. Locate lines with pam_unix.so and remove the nullok option if present, for example:
auth required pam_unix.so try_first_pass
3. Save the file and repeat for other relevant PAM files like /etc/pam.d/common-auth.
Backout Plan:
Using Linux command line:
Re-add the nullok option if necessary by editing the PAM files.
Test authentication to verify behavior.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pam_unix Documentation