PAM — completely disable password login

Question

I am trying to improve the Security of my overall IT Infrastructure, so I started out to use a smart card for login. I have managed to configure a PIV Smart Card with a private key and a x.509 certificate and setup pam_pkcs#11 such that the Smart Card login works. As described in the docs, I have add this:

auth    [success=2 default=ignore]      pam_pkcs11.so

to etc/pam.d/common-auth and since than the smartcard login works. But now, if the reader and the smartcard is removed, the system falls back to a password login (gnome in the case).

So my goal is to completely disable password login, no matter if there is a graphical interface or not. If the reader and the smartcard is not connected, login should not be possible.

Somewhere I have read that passwd -l $(whoami) will set the password for a certain account inactive, but that doesn't feel right to me.

Is it possible to do that with pam, such that password login is disabled for the whole machine?

btw: right now I am using ubuntu 19.10

Answer 1

It seems that the module pam_unix.so is responsible of standard Unix authentication:

PAM_UNIX(8)                           Linux-PAM Manual                           PAM_UNIX(8)

NAME
       pam_unix - Module for traditional password authentication

SYNOPSIS
       pam_unix.so [...]

DESCRIPTION
       This is the standard Unix authentication module. It uses standard calls from the
       system's libraries to retrieve and set account information as well as authentication.
       Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if
       shadow is enabled.

So to totally disable password-based authentication, i suppose that commenting every lines containing pam_unix.so in your /etc/pam.d directory should be enought.

Answer 2

Some times you require to set passwordless logins to a user for auto logins, shell scripting so that you no need to provide any password. This can be achieved by using passwd command with -d option which deletes already assigned password.

Example:

passwd -d USERNAME

Once you are done with this change the password field in /etc/shadow field is changed to empty so that without password you can login from any machine to the local machine. Update: Some users pointed out that this works only for local logins, but for remote logins this will not work.

Answer 3

Here is a solution to problems arising from attempts to disable PAM:

I am the only user of my computer and thus don't like PAM, but if you want to avoid PAM, use the disabling command ("skip-authentication") described elsewhere. In general, you must have a root login to do anything described here.

The following has been tested with Ubuntu v. 20.04.3 LTS; it is not strongly system-dependent and the procedures described below should work for any recent Ubuntu OS.

Unfortunately Ubuntu's current versions will not run in the absence of certain PAM files: When these files are removed or disabled, Ubuntu won't boot -- and attempting a reboot in Ubuntu "Recovery Mode" won't work, either. Why this total dependence on PAM was designed into Ubuntu, I do not know; it appears to be a design error of some kind.

Anyway, in this article, I will describe how to recover from a fatal PAM error without having to reinstall the Ubuntu OS.

Preliminaries

First of all, you MUST create an Ubuntu reinstallation DVD -- which usually will be an iso file freely downloadable from the internet (and also sold for a nominal sum by various vendors). Bootable DVDs also can be created by using certain downloadable applications (e. g., K3b) to modify a nonbootable DVD.

After creating this bootable DVD, you should test it to be sure it will boot on its own. After booting, it should prompt you either to try out or to install Ubuntu. Exit or turn off your computer to avoid changing anything.

Secondly, and optionally, you should get into the habit of backing up your entire Ubuntu OS at regular (say, weekly) intervals. Then, if you have to reinstall Ubuntu, you can install your most recently backed-up data, too.

Recovery From OS Errors

The key to recovery is NEVER to delete OS files without knowing that the OS will operate without them. When contemplating removal of an OS file (e. g., a PAM file), one ALWAYS should leave the file installed and disable the file by renaming it first, and then rebooting and testing the effect.

My preferred rename is to change the (file).exe to (file).exe_JMW_WAS, because a file named (whatever).exe_JMW_WAS is not an Ubuntu (or Windows) executable. Doing a find for all *_JMW_WAS makes it easy to correct renaming errors (I use "find / -name *_JMW_WAS -print").

Disabling of several of the installed PAM files will prevent a reboot; but, how to correct such an error? With certain PAM files disabled or removed, a normal reboot will hang, and even a recovery-mode reboot will print a fatal-error message and never continue.

FIRST: Do not delete any PAM file; instead, rename it to prevent execution.

SECOND: In case of disaster, try Ubuntu recovery mode. If you find that recovery mode doesn't work, reboot with your reinstall DVD.

After some delay, this DVD will give you the options of (a) trying out Ubuntu or (b) installing Ubuntu. Pick the try-out option.

After more delay, you will be presented with some manual commands to run; choose the "FILES" command.

The FILES display has a final "Other Locations" option which will list the installed OS's. This list will include your unbootable Ubuntu OS as well as Windows (if it is installed).

Logged in as root, and using an available terminal command, you now can select the unbootable FILES Ubuntu OS and cd to the /etc or the /lib directory containing the PAM or other file(s) you erroneously modified or disabled previously -- and, of course, which you renamed but did not delete.

Rename the appropriate files back to their original executable names, and, voila! your Ubunto OS will now reboot normally!