pam_unix: add nullresetok option to allow reset blank passwords

Adding nullresetok to auth phase of pam_unix module will allow users with blank password to authenticate in order to immediatelly change their password even if nullok is not set. This allows to have blank password authentication disabled but still allows administrator to create new user accounts with expired blank password that must be change on the first login.
author: Pavel Březina <pbrezina@redhat.com> 2019-10-31 12:26:31 +0100
committer: Tomáš Mráz <t8m@users.noreply.github.com> 2020-02-18 11:14:27 +0100
commit: f5adefa106e28c92dd73dbabac12bad667ef7b8f (patch)
tree: 3193ef03dfdb94021de12695b5a6d7be1a69c6f7 /modules/pam_unix/pam_unix.8.xml
parent: f07a873240de53e07897d4ef9d1d3fd0c28fe7bb (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
index 93a01c89..607ec85c 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -165,6 +165,19 @@
       </varlistentry>
       <varlistentry>
         <term>
+          <option>nullresetok</option>
+        </term>
+        <listitem>
+          <para>
+            Allow users to authenticate with blank password if password reset
+            is enforced even if <option>nullok</option> is not set. If password
+            reset is not required and <option>nullok</option> is not set the
+            authentication with blank password will be denied.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
           <option>try_first_pass</option>
         </term>
         <listitem>
author	Pavel Březina <pbrezina@redhat.com>	2019-10-31 12:26:31 +0100
committer	Tomáš Mráz <t8m@users.noreply.github.com>	2020-02-18 11:14:27 +0100
commit	f5adefa106e28c92dd73dbabac12bad667ef7b8f (patch)
tree	3193ef03dfdb94021de12695b5a6d7be1a69c6f7 /modules/pam_unix/pam_unix.8.xml
parent	f07a873240de53e07897d4ef9d1d3fd0c28fe7bb (diff)