nullok_secure option

Steve Langasek vorlon at
Thu Sep 1 07:09:24 UTC 2005

On Thu, Sep 01, 2005 at 04:58:27PM +1000, Nick Hoffman wrote:
> In /etc/pam.d/common-auth I found the following line:

> auth  required nullok_secure

> Neither manpages, docs, or Google have anything to say about the nullok_secure 
> option. If anyone could shed some light on it, that would be great.

Given that this is a Debian-specific patch which has not yet been
submitted upstream (that's on my TODO list after getting a newer
upstream version than 0.76 into Debian unstable...), your odds would
have been better asking the Debian package maintainer, FWIW. :)  Since I
happened to catch your message, though, I might as well answer here.

The nullok_secure option was added to support passwordless pam_unix
logins only from ttys listed in /etc/securetty.  It was added because
nullok was not considered an appropriate option to configure for all
services, but there was a need to support passwordless root logins on
tty2 on newly installed Debian systems when base-config has not yet
been run to configure a root password.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at                         
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <>

More information about the Pam-list mailing list