Prevent Login to Accounts With Empty Passwor (ubuntu2404)
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
nullok in
/etc/pam.d/common-{password,auth,account,session,session-noninteractive}
to prevent logins with empty passwords.
Rationale
If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if ( dpkg-query --show --showformat='${db:Status-Status}' 'libpam-runtime' 2>/dev/null | grep -q '^installed$' && dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$' ); then
conf_name=cac_unix
conf_path="/usr/share/pam-configs"
if [ ! -f "$conf_path"/"$conf_name" ]; then
if [ -f "$conf_path"/unix ]; then
if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then
cp "$conf_path"/unix "$conf_path"/"$conf_name"
sed -i 's/Priority: [0-9]\+/Priority: 257\
Conflicts: unix/' "$conf_path"/"$conf_name"
DEBIAN_FRONTEND=noninteractive pam-auth-update
else
echo "Not applicable - checksum of $conf_path/unix does not match the original." >&2
fi
else
echo "Not applicable - $conf_path/unix does not exist" >&2
fi
fi
config_file="/usr/share/pam-configs/cac_unix"
sed -i '/pam_unix\.so/s/nullok//g' "$config_file"
DEBIAN_FRONTEND=noninteractive pam-auth-update
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
