iCompaas Support

Profile Applicability:
 • Level 1

Description:
 The PermitEmptyPasswords option in the SSH daemon (sshd) configuration determines whether SSH allows login to accounts with empty passwords. Disabling this option enhances security by preventing authentication without a password.

Rationale:
 Allowing empty passwords significantly weakens system security and increases the risk of unauthorized access. Disabling this option enforces proper password usage.

Impact:
 Pros:

• Eliminates risk of unauthorized login via empty passwords.
  
  

• Enforces strong authentication policies.
  
  

Cons:

• May lock out accounts configured with empty passwords (not recommended).
  
  

Default Value:
 PermitEmptyPasswords is usually set to no by default, but this should be verified.

Pre-requisites:

• Root or sudo privileges to modify SSH daemon configuration.
  
  

Remediation:

Test Plan:

Using Linux command line:

Check current PermitEmptyPasswords setting in /etc/ssh/sshd_config:

grep ^PermitEmptyPasswords /etc/ssh/sshd_config

1. Verify it is set to no.

Implementation Plan:

Using Linux command line:

Edit /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
Set PermitEmptyPasswords to no:
PermitEmptyPasswords no

Save the file and restart sshd:

systemctl restart sshd

Confirm the setting:

grep ^PermitEmptyPasswords /etc/ssh/sshd_config

Backout Plan:

Using Linux command line:

1. Set PermitEmptyPasswords to yes if necessary.
   
   

2. Restart sshd and verify behavior.
   
   

References:

• NIST SP 800-53 Revision 5 - AC-7