STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:SV-230380r627750_rule
V-230380
SRG-OS-000480-GPOS-00227
RHEL-08-020330
CAT I
10
Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" and add or edit the following line in "etc/ssh/sshd_config" to prevent logons with empty passwords.
PermitEmptyPasswords no
The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:
$ sudo systemctl restart sshd.service
Note: Manual changes to the listed files may be overwritten by the "authselect" program.
To verify that null passwords cannot be used, run the following commands:
$ sudo grep -i nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
If this produces any output, it may be possible to log on with accounts with empty passwords.
$ sudo grep -i permitemptypasswords /etc/ssh/sshd_config
PermitEmptyPasswords no
If "PermitEmptyPasswords" is set to "yes", or If null passwords can be used, this is a finding.
Note: Manual changes to the listed files may be overwritten by the "authselect" program.
V-230380
False
RHEL-08-020330
To verify that null passwords cannot be used, run the following commands:
$ sudo grep -i nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
If this produces any output, it may be possible to log on with accounts with empty passwords.
$ sudo grep -i permitemptypasswords /etc/ssh/sshd_config
PermitEmptyPasswords no
If "PermitEmptyPasswords" is set to "yes", or If null passwords can be used, this is a finding.
Note: Manual changes to the listed files may be overwritten by the "authselect" program.
M
2921