The SSH daemon must not allow authentication using an empty password.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-38614 | RHEL-06-000239 | SV-50415r1_rule | High |
| Description |
|---|
| Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2014-06-10 |
Details
| Check Text ( None ) |
|---|
| None |
| Fix Text (F-43562r1_fix) |
|---|
| To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |