RHEL 10 must be configured so that SSHD does not allow blank passwords.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-281264 | RHEL-10-700610 | SV-281264r1184764_rule | CCI-000766 | medium |
| Description | ||||
| If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. OpenSSH uses the first occurrence of a keyword it sees, and drop-in files are read in lexicographical order at the start of the configuration. Red Hat recommends using drop-in files rather than changing base configuration files. Satisfies: SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229 | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 10 Security Technical Implementation Guide | 2026-03-11 | |||
Details
Check Text (C-281264r1184764_chk)
Verify RHEL 10 remote access using SSH prevents logging on with a blank password with the following command:
$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*permitemptypasswords'
/etc/ssh/sshd_config.d/10-stig.conf:PermitEmptyPasswords no
Verify the runtime setting with the following command:
$ sudo sshd -T | grep -i permitemptypasswords
permitemptypasswords no
If the "PermitEmptyPasswords" keyword is not set to "no" in a drop-in that lexicographically precedes 50-redhat.conf, or if no output is returned, this is a finding.
Fix Text (F-85730r1166743_fix)
Configure RHEL 10 to prevent SSH users from logging on with blank passwords.
In "/etc/ssh/sshd_config.d", create a drop file that will lexicographically precede 50-redhat.conf and add the following line:
PermitEmptyPasswords no
Restart the SSH daemon with the following command for the settings to take effect:
$ sudo systemctl restart sshd.service