UCF STIG Viewer Logo

The SSH daemon must not allow authentication using an empty password.


Overview

Finding ID Version Rule ID IA Controls Severity
V-218001 RHEL-06-000239 SV-218001r505923_rule High
Description
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2020-09-03

Details

Check Text ( C-19482r377018_chk )
To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command:

# grep -i PermitEmptyPasswords /etc/ssh/sshd_config

If no line, a commented line, or a line indicating the value "no" is returned, then the required value is set.
If the required value is not set, this is a finding.
Fix Text (F-19480r377019_fix)
To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config":

PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.