From 6b5a5eeabadb883e962ceac2f8242dc8eb6dbd04 Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutras.com>
Date: Sat, 16 Sep 2023 11:57:33 +0300
Subject: [PATCH] hardening: reject authentication with empty passwd

SSH defaults to disallowing empty passwords but Dovecot has no similar
safeguard (at least not one enabled by default). Remove "nullok" from
/etc/pam.d/system-auth to implement the desired behavior system-wide.
---
 roles/hardening/tasks/main.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml
index 1b811397f..9a78c3d04 100644
--- a/roles/hardening/tasks/main.yml
+++ b/roles/hardening/tasks/main.yml
@@ -1,3 +1,9 @@
+- name: Prevent users with empty passwords from authenticating
+  replace:
+    path: /etc/pam.d/system-auth
+    regexp: " nullok"
+    replace: ""
+
 - name: Set restricted access to kernel logs
   copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf owner=root group=root mode=0644
   notify:
-- 
GitLab