AlmaLinux OS 9 SSHD must not allow blank passwords.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-269374	SRG-OS-000106-GPOS-00053	ALMA-09-034120	SV-269374r1050257_rule	2025-02-20	1

Description
If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000108-GPOS-00055

ℹ️ Check
Verify AlmaLinux OS 9 remote access using SSH prevents logging on with a blank password with the following command: $ sshd -T \| grep -i permitemptypasswords permitemptypasswords no If "PermitEmptyPasswords" is set to "yes", or the line is missing, this is a finding.

✔️ Fix
Configure the SSH daemon to prevent users logging in with blank passwords. Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": PermitEmptyPasswords no Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file: $ cat << EOF \| tee /etc/ssh/sshd_config.d/emptypasswords.conf PermitEmptyPasswords no EOF Restart the SSH daemon for the settings to take effect: $ systemctl restart sshd.service

✔️ Fix

Configure the SSH daemon to prevent users logging in with blank passwords. Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": PermitEmptyPasswords no Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file: $ cat << EOF | tee /etc/ssh/sshd_config.d/emptypasswords.conf PermitEmptyPasswords no EOF Restart the SSH daemon for the settings to take effect: $ systemctl restart sshd.service