Disable SSH root Login with a Password (Insecure)
An XCCDF Rule
Description
To disable password-based root logins over SSH, add or correct the following line in
/etc/ssh/sshd_config:
PermitRootLogin prohibit-password
warning alert: Warning
While this disables password-based root logins, direct root logins
through other means such as through SSH keys or GSSAPI will still be
permitted. Permitting any sort of root login remotely opens up the
root account to attack.
To fully disable direct root logins over SSH (which is considered a
best practice) and prevent remote attacks against the root account,
see CCE-27100-7, CCE-27445-6, CCE-80901-2, and similar.
Rationale
Even though the communications channel may be encrypted, an additional layer of security is gained by preventing use of a password. This also helps to minimize direct attack attempts on root's password.
- ID
- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
- Severity
- Medium
- Updated
Remediation - Ansible
- name: Find sshd_config included files
shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Find the include keyword, extract from the line the glob expression representing included files.
# And if it is a relative path prepend '/etc/ssh/'
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*include\s*//I' | sed -e 's|^[^/]|/etc/ssh/&|')