Title

The Ubuntu operating system must be configured so that the SSH daemon does not allow authentication using an empty password. (Cat I impact)

Discussion

Failure to restrict system access to authenticated users negatively impacts Ubuntu operating system security.

Check Content

To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command: # grep -i PermitEmptyPasswords /etc/ssh/sshd_config PermitEmptyPasswords no If no line is returned, the line is commented out, or the value is set to "yes", this is a finding.

Fix Text

To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config": PermitEmptyPasswords no Note: Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: # sudo systemctl restart sshd.service

Additional Identifiers

Rule ID: SV-215126r610931_rule

Vulnerability ID: V-215126

Group Title: SRG-OS-000480-GPOS-00229

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.