4.2.7 Configuring SSH - disable null passwords

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


The recommendation is to edit the /etc/ssh/sshd_config file to ensure that the SSH daemon does not authenticate users with a null password.

If password authentication is used and an account has an empty password, the SSH server must be configured to disallow access to the account. Permitting empty passwords could create an easy path of access for hackers to enter the system.


Edit the /etc/ssh/sshd_config file to disable the acceptance null passwords-

vi /etc/ssh/sshd_config


#PermitEmptyPasswords no


PermitEmptyPasswords no

Re-cycle the sshd daemon to pick up the configuration changes-

stopsrc -s sshd
startsrc -s sshd

See Also