4.2.19 Ensure sshd PermitEmptyPasswords is disabled

Information

The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings.

Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system.

Solution

Edit /etc/ssh/sshd_config and set the PermitEmptyPasswords parameter to no above any Match entries:

PermitEmptyPasswords no

Note: First occurrence of a option takes precedence, Match set statements withstanding.

See Also

https://workbench.cisecurity.org/benchmarks/15965

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 50967cc52b9a27b38ec722286dd7d1c566434a8b27e9232bc212376a282e915b