Prevent Login to Accounts With Empty Password?

I am wondering , does somebody know how to solve this issue ?
The issue is that Fedora 36 by default still has a way to login into accounts with an empty password. I have tried solving the issue using this page but I still doubt that it will solve the issue because of the authselect program.I could disable to program. But I was wondering if there’s another way to approach this issue. Let me know.

I wonder what account you are referring to.
AFAIK most system level accounts do not allow any login, and are totally blocked by both a locked password in /etc/shadow

systemd-oom:!!:18816::::::

and an entry such as this in /etc/passwd

systemd-oom:x:961:952:systemd Userspace OOM Killer:/:/sbin/nologin

If you have an example of the account you are concerned about that has not been blocked by a normal system install (and has not been changed by a user) then please tell us.

Your link is to info related to RHEL documentation and may be perfectly proper there, but fedora is slightly different and is designed to not allow unauthorized access as noted above.
The only way I know to have a null password field in /etc/shadow is for a user to put it there. You can easily see that yourself by looking at that file. The user management tools provided on the system do not ever leave that field empty. It is created with a password or it is locked by default.

My mistake then , the reason I assumed this was ; when I ran SCAP Workbench . I was presented with prevent login to account with empty password (fail).
Contents:

Description
If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in /etc/pam.d/system-auth to prevent logins with empty passwords.
Rationale
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Warnings
warning If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.

Note that the warning is that you should never create an account with an empty password. It is for the admin as a reminder to enter the password, not telling them the account will not have a password (unless the admin chooses to create it that way). If so then they have already been informed of the risks and problems that may occur.

The link you provided is one way to prevent a login to an account the admin may have created with no password.

3 Likes

Now I understand, thank you for explaining.Then there is no need for me to solve that warning.

You can run

sudo authselect enable-feature without-nullok

and it will remove authok from the various pam files.
Run

authselect current

current settings. And run

authselect show sssd

what other options are available.

4 Likes