UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Ubuntu operating system must be configured so that the SSH daemon does not allow authentication using an empty password.


Overview

Finding ID Version Rule ID IA Controls Severity
V-215126 UBTU-16-030250 SV-215126r610931_rule High
Description
Failure to restrict system access to authenticated users negatively impacts Ubuntu operating system security.
STIG Date
Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide 2020-12-09

Details

Check Text ( C-16325r285246_chk )
To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command:

# grep -i PermitEmptyPasswords /etc/ssh/sshd_config
PermitEmptyPasswords no

If no line is returned, the line is commented out, or the value is set to "yes", this is a finding.
Fix Text (F-16323r285247_fix)
To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config":

PermitEmptyPasswords no

Note: Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:

# sudo systemctl restart sshd.service