SSH Disable PermitEmptyPasswords

What the empty password SSH disabler does

This Automox Worklet™ configures OpenSSH to reject authentication attempts using empty passwords by setting PermitEmptyPasswords to no in /etc/ssh/sshd_config. While most Linux distributions disable this by default, explicit configuration provides defense in depth and satisfies compliance auditors.

The Worklet searches for an existing PermitEmptyPasswords setting and updates it, or appends the setting if not present. This approach works whether the setting is currently enabled, disabled, or commented out.

Why disable empty password SSH authentication

SSH servers that allow empty passwords enable attackers to access your Linux endpoints without any credential challenge. An attacker scanning your network for SSH services can attempt login with blank passwords and immediately gain shell access to any endpoint with accounts that have empty passwords. This represents one of the most basic and preventable security failures in SSH configuration.

Some Linux distributions and deployment tools create user accounts with empty passwords during installation or initial configuration. These accounts exist in your /etc/passwd file but have no password entry in /etc/shadow. If your SSH configuration permits empty passwords, these accounts become immediate entry points for unauthorized access.

Security scanning tools and compliance frameworks specifically check SSH configurations for the PermitEmptyPasswords setting. Standards like CIS Benchmarks for Linux, STIG requirements, and PCI-DSS controls explicitly require this setting to be disabled. Leaving it enabled generates critical findings in security audits and penetration tests.

Default SSH configurations on many Linux distributions set PermitEmptyPasswords to 'yes' or do not explicitly define it, causing SSH to use permissive default behavior. Administrators who never explicitly set this value may unknowingly run SSH servers that accept empty password authentication.

How empty password disabling works

1. Evaluation phase: Always triggers remediation (exit 1) to apply the configuration. This is a run-once hardening action.

2. Remediation phase: Uses grep and sed to find and update any existing PermitEmptyPasswords line to PermitEmptyPasswords no. If no existing line is found, appends the setting to /etc/ssh/sshd_config. An optional sshd restart is available by uncommenting the service restart line.

SSH empty password configuration requirements

• Linux endpoints with OpenSSH server installed

• Root privileges for the Automox agent

• To apply immediately, uncomment the service sshd restart line in remediation script

• Compatible with workstations and servers

Expected SSH authentication behavior

The SSH server configuration file /etc/ssh/sshd_config now contains the line 'PermitEmptyPasswords no'. The SSH daemon reads this configuration on next startup and enforces the restriction. All future SSH authentication attempts must provide a non-empty password, cryptographic key, or other configured authentication method.

The SSH service restarts to apply the configuration change. Active SSH sessions remain connected, but new connection attempts are subject to the updated authentication policy. Accounts with empty passwords can no longer authenticate via SSH.

Users who attempt to log in with accounts that have empty passwords receive authentication failures. The SSH server logs these attempts in /var/log/auth.log or /var/log/secure, showing 'authentication failure' or 'invalid user' messages depending on the specific configuration.

You can verify the configuration by running 'sshd -T | grep permitemptypasswords' on the endpoint. The output shows 'permitemptypasswords no', confirming that the SSH daemon has loaded and applied your security setting. Alternatively, inspect /etc/ssh/sshd_config directly to see the configuration line.

How to validate ssh disable permitemptypasswords changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for ssh disable permitemptypasswords.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as grep, exit, then rerun evaluation for compliance.