Rule ID
SV-269374r1050257_rule
Version
V1R6
CCIs
If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000108-GPOS-00055
Verify AlmaLinux OS 9 remote access using SSH prevents logging on with a blank password with the following command: $ sshd -T | grep -i permitemptypasswords permitemptypasswords no If "PermitEmptyPasswords" is set to "yes", or the line is missing, this is a finding.
Configure the SSH daemon to prevent users logging in with blank passwords. Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": PermitEmptyPasswords no Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file: $ cat << EOF | tee /etc/ssh/sshd_config.d/emptypasswords.conf PermitEmptyPasswords no EOF Restart the SSH daemon for the settings to take effect: $ systemctl restart sshd.service