The AIX SSH daemon must be configured to disable empty passwords.
An XCCDF Rule
Description
<VulnDiscussion>When password authentication is allowed, PermitEmptyPasswords specifies whether the server allows login to accounts with empty password strings. If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-215302r991591_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Edit "/etc/ssh/sshd_config" and add or edit the "PermitEmptyPasswords " line as:
PermitEmptyPasswords no
Save the change and restart ssh daemon:
# stopsrc -s sshd
# startsrc -s sshd