Disable SSH root Login with a Password (Insecure)
An XCCDF Rule
Description
To disable password-based root logins over SSH, add or correct the following line in
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
:
PermitRootLogin prohibit-password
warning alert: Warning
While this disables password-based root logins, direct root logins
through other means such as through SSH keys or GSSAPI will still be
permitted. Permitting any sort of root login remotely opens up the
root account to attack.
To fully disable direct root logins over SSH (which is considered a
best practice) and prevent remote attacks against the root account,
see CCE-27100-7, CCE-27445-6, CCE-80901-2, and similar.
Rationale
Even though the communications channel may be encrypted, an additional layer of security is gained by preventing use of a password. This also helps to minimize direct attack attempts on root's password.
- ID
- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
- Severity
- Medium
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
Remediation - Ansible
- name: Disable SSH root Login with a Password (Insecure)
block:
- name: Deduplicate values from /etc/ssh/sshd_config
lineinfile:
path: /etc/ssh/sshd_config