Skip to content

Disable SSH Root Login

An XCCDF Rule

Description

The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:

PermitRootLogin no

warning alert: Warning

This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable. RHV hosts require root access to be managed by RHV Manager.

Rationale

Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.

ID
xccdf_org.ssgproject.content_rule_sshd_disable_root_login
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"

Remediation - Ansible

- name: Disable SSH Root Login
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config