STIGQter STIGQter: STIG Summary: Canonical Ubuntu 16.04 Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jan 2020: The Ubuntu operating system must be configured so that the SSH daemon does not allow authentication using an empty password.

DISA Rule

SV-90513r3_rule

Vulnerability Number

V-75833

Group Title

SRG-OS-000480-GPOS-00229

Rule Version

UBTU-16-030250

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config":

PermitEmptyPasswords no

Note: Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command:

# sudo systemctl restart sshd.service

Check Contents

To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command:

# grep -i PermitEmptyPasswords /etc/ssh/sshd_config
PermitEmptyPasswords no

If no line is returned, the line is commented out, or the value is set to "yes", this is a finding.

Vulnerability Number

V-75833

Documentable

False

Rule Version

UBTU-16-030250

Severity Override Guidance

To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command:

# grep -i PermitEmptyPasswords /etc/ssh/sshd_config
PermitEmptyPasswords no

If no line is returned, the line is commented out, or the value is set to "yes", this is a finding.

Check Content Reference

M

Target Key

3075

Comments