I have turned off PermitEmptyPasswords in sshd_config, but a user with empty passwd (deleted by passwd -d user) can still login without password, why? it is big security concern, linux doesn't have the issue.
$ uname -a
SunOS 5.10 Generic_118855-14 i86pc i386 i86pc
$/etc/ssh/sshd_config
PermitEmptyPasswords no
You likely forgot to have the configuration file read again by the daemon:
svcadm restart ssh
sshd has been restarted, this sympthom exists on many hosts, I think it is Solaris weird default behaviour.
Go to the user's home directory in the server.
Go to .ssh directory
Delete the authorized_keys file.
it was not authenticated by ssh key, ssh -vv showed it succeeded by keyboard interactive.
If PASSREQ macro in /etc/default/login is set to YES, then a user cannot have blank password.
I reproduced the issue on Solaris 10 update 4. It looks like a bug so might already be fixed in a patch. In any case, the same setting works as expected with OpenSolaris.
PASSREQ=YES has been set in /etc/default/login.
So we can only conclude it is a serious bug of "Sun_SSH_1.1", Solaris 9 with Openssh doesn't have the issue.
IMHO, the most serious issue is having passwordless accounts in the first place. If you can't avoid that (I'm missing why you shouldn't), you might try disabling Solaris 10 ssh and install openssh instead. Another option would be to install OpenSolaris where the issue is definitely fixed.