I have turned off PermitEmptyPasswords in sshd_config, but a user with empty passwd (deleted by passwd -d user) can still login without password, why? it is big security concern, linux doesn't have the issue.
$ uname -a
SunOS 5.10 Generic_118855-14 i86pc i386 i86pc
$/etc/ssh/sshd_config
PermitEmptyPasswords no
I reproduced the issue on Solaris 10 update 4. It looks like a bug so might already be fixed in a patch. In any case, the same setting works as expected with OpenSolaris.
IMHO, the most serious issue is having passwordless accounts in the first place. If you can't avoid that (I'm missing why you shouldn't), you might try disabling Solaris 10 ssh and install openssh instead. Another option would be to install OpenSolaris where the issue is definitely fixed.