postprocess: Disable empty password authentication via authselect

[sebrandon1]

RHCOS inherits nullok in PAM from the RHEL defaults, which permits authentication with empty passwords. RHCOS nodes are managed infrastructure with no legitimate use case for password-based login, let alone empty passwords, so this has no functional impact on existing deployments.

This adds a postprocess step that runs:

authselect select sssd without-nullok --force

and verifies that nullok was removed from system-auth and password-auth.

Why this change

This is flagged as a HIGH severity finding across every compliance profile that applies to RHCOS: Essential 8, CIS, NIST Moderate, and PCI-DSS. Unlike many hardening recommendations where benchmarks disagree, removing nullok is consistent across all of them.

Today, the compliance-operator remediation for this finding is broken on RHCOS 9 — it generates RHEL 8 era PAM templates that don't apply cleanly. Fixing it at the image level eliminates the issue for all clusters without requiring per-node MachineConfig remediation.

Why the maintenance burden is low

• Uses authselect with its without-nullok feature flag — the supported RHEL mechanism purpose-built for this (authselect/authselect#94, landed in 2018)
• No custom PAM files, no divergence from the RHEL PAM stack
• The postprocess script includes a verification step that will fail the build if it doesn't work, so regressions surface immediately
• 10 lines of script, no new packages

Scope

This is intentionally narrow. We understand the concern about carrying hardening overrides that diverge from RHEL defaults and create ongoing maintenance. This is not the start of a campaign to upstream every compliance checklist item into RHCOS.

A small number of changes like this one — high severity, universally agreed upon across benchmarks, zero functional risk, and using existing RHEL tooling — are worth considering. We're happy to discuss which additional items (if any) would meet that bar in separate conversations.

References

• without-nullok feature: authselect/authselect@e1fbbdc
• Upstream scanner fix: Fix no_empty_passwords remediation for RHCOS 9 ComplianceAsCode/content#14602

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign ravanelli for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@sebrandon1: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	663bec6	link	true	/test images
ci/prow/okd-scos-images	663bec6	link	true	/test okd-scos-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[travier]

I think this is reasonable but it should likely be done in the base layer (https://github.com/coreos/rhel-coreos-config) or maybe even in Fedora CoreOS directly (https://github.com/coreos/fedora-coreos-config).

[travier]

Note that while I agree that this is a valid hardening option, users must explicitly set an empty password for the root account for that option to actually matter as we do not set a password for root by default.