How to disable empty-password logins in SSH

Disabling empty-password logins in SSH blocks accounts with unset or blank passwords from authenticating, closing off an easy path for attackers and misconfigured scripts. Strengthened authentication reduces brute-force exposure, protects unattended accounts, and matches common security baselines for production servers.

/OpenSSH reads configuration from /etc/ssh/sshd_config and any included snippet files to decide which authentication methods are allowed. The PermitEmptyPasswords directive controls whether accounts with effectively empty passwords may authenticate when password-based logins are enabled, while leaving public-key or host-based authentication unaffected.

Most Linux distributions ship with empty-password logins disabled by default, but explicitly configuring the directive prevents surprises after upgrades or vendor changes. Commands in these steps target Ubuntu and other Debian derived systems where the unit is named ssh; on platforms that use sshd as the service name, only the unit name needs adjusting. Configuration mistakes can block new SSH sessions, so console access or a secondary connection is advisable while changing authentication settings.

1. Open a terminal on the SSH server with sudo privileges.

   $ whoami
   user

2. Check the current PermitEmptyPasswords setting in the main configuration file.

   $ sudo grep -i '^PermitEmptyPasswords' /etc/ssh/sshd_config
   PermitEmptyPasswords no

   No output from the grep command usually means PermitEmptyPasswords is not explicitly set and defaults to no on modern OpenSSH versions.

3. Open the SSH daemon configuration file in a text editor with elevated privileges.

   $ sudo nano /etc/ssh/sshd_config

   Any root-capable editor such as nano, vim, or sudoedit can edit /etc/ssh/sshd_config.

4. Ensure a line is present in /etc/ssh/sshd_config that disables empty-password logins.

   ///etc/ssh/sshd_config
   PermitEmptyPasswords no

   Leaving PermitEmptyPasswords unset or setting it to yes can allow accounts with empty passwords to authenticate whenever password-based logins are enabled.

5. Test the sshd configuration for syntax errors.

   $ sudo sshd -t

   No output from sshd -t indicates that the configuration is syntactically valid.

6. Restart the ssh service to apply the change.

   $ sudo systemctl restart ssh

   Restarting ssh immediately applies configuration changes and can terminate or prevent SSH sessions if the configuration is broken; ensure a recovery path such as console or out-of-band access is available before running this command.

7. Check the ssh service status for an active state and recent log lines.

   $ sudo systemctl status ssh
   ● ssh.service - OpenBSD Secure Shell server
        Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
        Active: active (running) since Thu 2025-12-11 10:15:01 UTC; 5s ago
          Docs: man:sshd(8)
                man:sshd_config(5)
      Main PID: 1234 (sshd)
         Tasks: 1 (limit: 12345)
        Memory: 5.2M
           CPU: 120ms
        CGroup: /system.slice/ssh.service
                └─1234 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
   ##### snipped #####

8. Confirm that the effective configuration reports empty-password logins as disabled.

   $ sudo sshd -T | grep -i permitemptypasswords
   permitemptypasswords no

   The sshd -T command shows the final configuration after all defaults and includes have been applied, ensuring that empty-password authentication is fully disabled.