AlmaLinux OS 9 SSHD must not allow blank passwords.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269374 | ALMA-09-034120 | SV-269374r1050257_rule | Medium |
| Description |
| If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000108-GPOS-00055 |
| STIG | Date |
| CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide | 2025-05-22 |
Details
| Check Text (C-73405r1049574_chk) |
| Verify AlmaLinux OS 9 remote access using SSH prevents logging on with a blank password with the following command: $ sshd -T | grep -i permitemptypasswords permitemptypasswords no If "PermitEmptyPasswords" is set to "yes", or the line is missing, this is a finding. |
| Fix Text (F-73306r1048499_fix) |
| Configure the SSH daemon to prevent users logging in with blank passwords. Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": PermitEmptyPasswords no Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file: $ cat << EOF | tee /etc/ssh/sshd_config.d/emptypasswords.conf PermitEmptyPasswords no EOF Restart the SSH daemon for the settings to take effect: $ systemctl restart sshd.service |