cfbs add ssh-permit-empty-passwords-no
Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system.
If possible it is recommended to inhibit the use of passwords at all and instead realy on keys with
PasswordAuthentication no
but inhibiting login with empty passwords is an excellent fallback and good to have present in case a situation prevents the use of keys.
Add PermitEmptyPasswords yes to /etc/ssh/sshd_config.
$ grep ^PermitEmpty /etc/ssh/sshd_config
PermitEmptyPasswords yes
$ sudo cf-agent -KIb ssh_permit_empty_passwords_no
info: Using command line specified bundlesequence
info: Copied file '/etc/ssh/sshd_config' to '/etc/ssh/sshd_config.staged.cfnew' (mode '600')
info: Removed old backup '/etc/ssh/sshd_config.staged.cfsaved'
info: Backed up '/etc/ssh/sshd_config.staged' as '/etc/ssh/sshd_config.staged.cfsaved'
info: Moved '/etc/ssh/sshd_config.staged.cfnew' to '/etc/ssh/sshd_config.staged'
info: Updated '/etc/ssh/sshd_config.staged' from source '/etc/ssh/sshd_config' on 'localhost'
info: Replaced pattern '^\s*(PermitEmptyPasswords\s+(?!no$).*|PermitEmptyPasswords)$' in '/etc/ssh/sshd_config.staged'
info: replace_patterns promise '^\s*(PermitEmptyPasswords\s+(?!no$).*|PermitEmptyPasswords)$' repaired
info: Edited file '/etc/ssh/sshd_config.staged'
info: Copied file '/etc/ssh/sshd_config.staged' to '/etc/ssh/sshd_config.cfnew' (mode '640')
info: Removed old backup '/etc/ssh/sshd_config.cfsaved'
info: Backed up '/etc/ssh/sshd_config' as '/etc/ssh/sshd_config.cfsaved'
info: Moved '/etc/ssh/sshd_config.cfnew' to '/etc/ssh/sshd_config'
info: Updated '/etc/ssh/sshd_config' from source '/etc/ssh/sshd_config.staged' on 'localhost'
info: Executing 'no timeout' ... '/bin/systemctl --no-ask-password --global --system -q restart sshd'
info: Completed execution of '/bin/systemctl --no-ask-password --global --system -q restart sshd'
$ grep ^PermitEmpty /etc/ssh/sshd_config
PermitEmptyPasswords no
The reason that there is quite a bit of output is because it's a multi-step process:
If you run cf-agent -KI again, there will be no output, no changes will be made, since the configuration is already correct.
This module ensures that PermitEmptyPasswords is set to no in /etc/ssh/sshd_config leveraging lib_sshd_config:global_key_values from the library-sshd-config module.