Fedora 32 Will Still Allow Empty Passwords By Default

Written by Michael Larabel in Fedora on 9 December 2019 at 03:46 PM EST. 18 Comments
FEDORA
Last month was a proposal for Fedora 32 to disallow empty passwords for local users by default but at today's Fedora Engineering and Steering Committee (FESCo) they completely shot down that proposal.

Fedora has been shipping with the Fedora PAM module parameter that allows for empty/null passwords on local users -- to be clear, root passwords cannot be null and the default OpenSSH server configuration doesn't allow empty passwords either for logging into user accounts. Fedora local accounts can have an empty password for legitimate use-cases like testing environments where security is of little to no importance, throw-away VMs/instances, and some tooling like Fedora Live images relying upon this behavior.

The proposal to disallow empty passwords by default was done in the name of trying to improve security on systems, but with that not doing much by itself and there being legitimate use-cases for password-less local user accounts, this idea was widely panned on the Fedora development list. So when it came to FESCo voting on this change, everything voted against this proposed F32 alteration.

In fact, with everyone being against it on the committee and already having voted against it on the issue ticket, when that happens again for any change request their new policy will be to abandon the change proposal right away with an "instant reject" and not even waste the time bringing it up at their weekly meetings.

Fedora 32 is aiming for release around the end of April.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week