SV-90513r3_rule
V-75833
SRG-OS-000480-GPOS-00229
UBTU-16-030250
CAT I
10
To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config":
PermitEmptyPasswords no
Note: Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:
# sudo systemctl restart sshd.service
To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command:
# grep -i PermitEmptyPasswords /etc/ssh/sshd_config
PermitEmptyPasswords no
If no line is returned, the line is commented out, or the value is set to "yes", this is a finding.
V-75833
False
UBTU-16-030250
To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command:
# grep -i PermitEmptyPasswords /etc/ssh/sshd_config
PermitEmptyPasswords no
If no line is returned, the line is commented out, or the value is set to "yes", this is a finding.
M
3075