Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I would like the only user account on my desktop to have a null/empty password. How do I disable cracklib in the PAM configuration from saying this is not allowed? I can see how commenting out the cracklib line in /etc/pam.d/system-auth-ac could work, but that file is auto-generated by authconfig, and I don't want my changes to be lost when authconfig is run. It seems like authconfig should provide a way to do it, but none of its command-line or GUI options relate to cracklib. I tried setting USECRACKLIB=no in /etc/sysconfig/authconfig and running authconfig --updateall, but this simply reset the text file to USECRACKLIB=yes. How can I change this?
I'd also like to ask how much of a risk you think this is? I'm not worried about my flatmates/friends using my computer, in fact I'd rather they were able to do so without a password. But how easy would it be for someone to access my user account over the internet if I don't have a password?
If the machine is visible to the internet (which it may or may not be), it would get compromised very quickly by the scripts that scan around to random IP addresses and brute force attack them.
If you don't mind your flat mates logging in, just put a sticky note with the username and password on the monitor. That protects you from the bots to some degree and it allows you to use a good password because no one has to remember it.
Or you could run off a liveCD or something of the sort which doesn't generally use passwords that you need to know.
Wouldn't you be much better-off simply configuring your session manager to auto-login? I have my Ubuntu desktop (which uses GDM) configured like this for my parents. If your objective is simply to not have to type a password when the computer starts, auto-login is the way to go. You could even use a "guest" account for the auto-login, so that your personal account is still password-protected.
Thanks for the advice. I've decided to retain my password and use auto-login. Out of interest, how would I disable cracklib? There must be a relatively simple way to do it!
comment-out the "use_authtok" argument on the pam_unix line
use_authtok effectively tells pam_unix to require a password from the previous step (formerly pam_cracklib). So if you leave it there after commenting-out pam_cracklib, no password is passed to pam_unix and it refuses to prompt for one itself and the whole operation fails.
So these changes cause pam_unix to prompt you for a password instead of pam_cracklib.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.