Disable SSH Access via Empty Passwords
Description
Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords
.
To explicitly disallow SSH login from accounts with empty passwords,
add or correct the following line in
/etc/ssh/sshd_config
:
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords.
Rationale
Configuring this setting for the SSH daemon provides additional assurance
that remote login via SSH will require a password, even in the event of
misconfiguration elsewhere.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
if [ -e "/etc/ssh/sshd\_config" ] ; then
LC\_ALL=C sed -i "/^\s\*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd\_config"
else
touch "/etc/ssh/sshd\_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd\_config"
cp "/etc/ssh/sshd\_config" "/etc/ssh/sshd\_config.bak"
# Insert before the line matching the regex '^Match'.
line\_number="$(LC\_ALL=C grep -n "^Match" "/etc/ssh/sshd\_config.bak" | LC\_ALL=C sed 's/:.\*//g')"
if [ -z "$line\_number" ]; then
# There was no match of '^Match', insert at
# the end of the file.
printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd\_config"
else
head -n "$(( line\_number - 1 ))" "/etc/ssh/sshd\_config.bak" > "/etc/ssh/sshd\_config"
printf '%s\n' "PermitEmptyPasswords no" >> "/etc/ssh/sshd\_config"
tail -n "+$(( line\_number ))" "/etc/ssh/sshd\_config.bak" >> "/etc/ssh/sshd\_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd\_config.bak"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Disable SSH Access via Empty Passwords
block:
- name: Check for duplicate values
lineinfile:
path: /etc/ssh/sshd\_config
create: false
regexp: (?i)^\s\*PermitEmptyPasswords\s+
state: absent
check\_mode: true
changed\_when: false
register: dupes
- name: Deduplicate values from /etc/ssh/sshd\_config
lineinfile:
path: /etc/ssh/sshd\_config
create: false
regexp: (?i)^\s\*PermitEmptyPasswords\s+
state: absent
when: dupes.found is defined and dupes.found > 1
- name: Insert correct line to /etc/ssh/sshd\_config
lineinfile:
path: /etc/ssh/sshd\_config
create: true
regexp: (?i)^\s\*PermitEmptyPasswords\s+
line: PermitEmptyPasswords no
state: present
insertbefore: ^[#\s]\*Match
validate: /usr/sbin/sshd -t -f %s
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CJIS-5.5.6
- DISA-STIG-UBTU-20-010047
- NIST-800-171-3.1.1
- NIST-800-171-3.1.5
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
- NIST-800-53-CM-7(a)
- NIST-800-53-CM-7(b)
- PCI-DSS-Req-2.2.4
- PCI-DSSv4-2.2.6
- high\_severity
- low\_complexity
- low\_disruption
- no\_reboot\_needed
- restrict\_strategy
- sshd\_disable\_empty\_passwords