HIGH H3: SSHD Empty Passwords P1
Overview
This remediation configures the SSH daemon to explicitly deny authentication with empty passwords. This is a HIGH severity compliance requirement.
Settings
| Setting | Value | Description |
|---|---|---|
PermitEmptyPasswords |
no |
Prevent SSH login with empty passwords |
Implementation
The remediation applies a MachineConfig with SSHD hardening:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-sshd-hardening
labels:
machineconfiguration.openshift.io/role: master
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- path: /etc/ssh/sshd_config.d/75-hardening.conf
mode: 0600
overwrite: true
contents:
inline: |
# HIGH severity - Disable empty passwords
PermitEmptyPasswords no
Compliance Checks Remediated
This group addresses the following compliance checks:
| Check | Profile | Description | Docs |
|---|---|---|---|
rhcos4-e8-worker-sshd-disable-empty-passwords |
E8 | Disable SSH empty passwords (worker) | 📖 |
rhcos4-e8-master-sshd-disable-empty-passwords |
E8 | Disable SSH empty passwords (master) | 📖 |
Source Remediation Files
- high/rhcos4-e8-worker-sshd-disable-empty-passwords.yaml
- high/rhcos4-e8-master-sshd-disable-empty-passwords.yaml
Verification
After applying the MachineConfig, verify SSHD configuration:
oc debug node/<node-name> -- chroot /host sshd -T | grep permitemptypasswords
# Expected output: permitemptypasswords no
Security Impact
Disabling empty passwords ensures that:
- All SSH connections require proper password or key authentication
- Accounts without passwords cannot be accessed remotely
- Compliance with Essential Eight and CIS benchmarks
Related SSHD Groups
Other SSHD hardening groups (to be addressed separately):
- M1: SSHD Configuration - MEDIUM severity SSHD settings
- L1: SSHD LogLevel - LOW severity SSHD setting