How to disable empty-password logins in SSH

Disabling empty-password logins in SSH blocks accounts with unset or blank passwords from authenticating, closing off an easy path for attackers and misconfigured scripts. Strengthened authentication reduces brute-force exposure, protects unattended accounts, and matches common security baselines for production servers.

/OpenSSH reads configuration from /etc/ssh/sshd_config and any included snippet files to decide which authentication methods are allowed. The PermitEmptyPasswords directive controls whether accounts with effectively empty passwords may authenticate when password-based logins are enabled, while leaving public-key or host-based authentication unaffected.

Most Linux distributions ship with empty-password logins disabled by default, but explicitly configuring the directive prevents surprises after upgrades or vendor changes. Commands in these steps target Ubuntu and other Debian derived systems where the unit is named ssh; on platforms that use sshd as the service name, only the unit name needs adjusting. Configuration mistakes can block new SSH sessions, so console access or a secondary connection is advisable while changing authentication settings.

Related: How to allow or disallow SSH password authentication
Related: How to limit SSH authentication attempts
Related: How to automatically block failed SSH login attempts

Steps to disable empty-password logins in SSH:

  1. Open a terminal on the SSH server with sudo privileges. 
    $ whoami
user
  2. Check the current PermitEmptyPasswords setting in the main configuration file. 
    $ sudo grep -i '^PermitEmptyPasswords' /etc/ssh/sshd_config
PermitEmptyPasswords no

    No output from the grep command usually means PermitEmptyPasswords is not explicitly set and defaults to no on modern OpenSSH versions.

  3. Open the SSH daemon configuration file in a text editor with elevated privileges. 
    $ sudo nano /etc/ssh/sshd_config

    Any root-capable editor such as nano, vim, or sudoedit can edit /etc/ssh/sshd_config.

  4. Ensure a line is present in /etc/ssh/sshd_config that disables empty-password logins. 
    ///etc/ssh/sshd_config
PermitEmptyPasswords no

    Leaving PermitEmptyPasswords unset or setting it to yes can allow accounts with empty passwords to authenticate whenever password-based logins are enabled.

  5. Test the sshd configuration for syntax errors. 
    $ sudo sshd -t

    No output from sshd -t indicates that the configuration is syntactically valid.

    Related: How to test SSH server configuration

  6. Restart the ssh service to apply the change. 
    $ sudo systemctl restart ssh

    Restarting ssh immediately applies configuration changes and can terminate or prevent SSH sessions if the configuration is broken; ensure a recovery path such as console or out-of-band access is available before running this command.

    Related: How to manage the SSH server service with systemctl in Linux

  7. Check the ssh service status for an active state and recent log lines. 
    $ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/usr/lib/systemd/system/ssh.service; enabled; preset: enabled)
     Active: active (running) since Sat 2026-01-10 20:21:58 +08; 20ms ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 15757 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 15758 (sshd)
      Tasks: 1 (limit: 4546)
     Memory: 1.1M (peak: 1.4M)
        CPU: 10ms
     CGroup: /system.slice/ssh.service
##### snipped #####
  8. Confirm that the effective configuration reports empty-password logins as disabled. 
    $ sudo sshd -T | grep -i permitemptypasswords
permitemptypasswords no

    The sshd -T command shows the final configuration after all defaults and includes have been applied, ensuring that empty-password authentication is fully disabled.