Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-215302 | AIX7-00-002120 | SV-215302r508663_rule | Medium |
Description |
---|
When password authentication is allowed, PermitEmptyPasswords specifies whether the server allows login to accounts with empty password strings. If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. |
STIG | Date |
---|---|
IBM AIX 7.x Security Technical Implementation Guide | 2021-03-10 |
Check Text ( C-16500r294357_chk ) |
---|
Check the SSH daemon configuration for allowed empty passwords using command: # grep -i PermitEmptyPasswords /etc/ssh/sshd_config | grep -v '^#' PermitEmptyPasswords no If no lines are returned, or the returned "PermitEmptyPasswords" directive contains "yes", this is a finding. |
Fix Text (F-16498r294358_fix) |
---|
Edit "/etc/ssh/sshd_config" and add or edit the "PermitEmptyPasswords " line as: PermitEmptyPasswords no Save the change and restart ssh daemon: # stopsrc -s sshd # startsrc -s sshd |