Skip to content

Disable SSH root Login with a Password (Insecure)

An XCCDF Rule

Description

To disable password-based root logins over SSH, add or correct the following line in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf:

PermitRootLogin prohibit-password

warning alert: Warning

While this disables password-based root logins, direct root logins through other means such as through SSH keys or GSSAPI will still be permitted. Permitting any sort of root login remotely opens up the root account to attack. To fully disable direct root logins over SSH (which is considered a best practice) and prevent remote attacks against the root account, see CCE-27100-7, CCE-27445-6, CCE-80901-2, and similar.

Rationale

Even though the communications channel may be encrypted, an additional layer of security is gained by preventing use of a password. This also helps to minimize direct attack attempts on root's password.

ID
xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
Severity
Medium
Updated



Remediation - Ansible

- name: Disable SSH root Login with a Password (Insecure)
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf