Disable SSH root Login with a Password (Insecure)

An XCCDF Rule

Description

To disable password-based root logins over SSH, add or correct the following line in /etc/ssh/sshd_config:

PermitRootLogin prohibit-password

warning alert: Warning

While this disables password-based root logins, direct root logins through other means such as through SSH keys or GSSAPI will still be permitted. Permitting any sort of root login remotely opens up the root account to attack. To fully disable direct root logins over SSH (which is considered a best practice) and prevent remote attacks against the root account, see CCE-27100-7, CCE-27445-6, CCE-80901-2, and similar.

Rationale

Even though the communications channel may be encrypted, an additional layer of security is gained by preventing use of a password. This also helps to minimize direct attack attempts on root's password.

ID: xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
Severity: Medium
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert at the beginning of the file
printf '%s\n' "PermitRootLogin prohibit-password" > "/etc/ssh/sshd_config"
cat "/etc/ssh/sshd_config.bak" >> "/etc/ssh/sshd_config"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Disable SSH root Login with a Password (Insecure)
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config      create: true
      regexp: (?i)^\s*PermitRootLogin\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*PermitRootLogin\s+
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*PermitRootLogin\s+
      line: PermitRootLogin prohibit-password
      state: present
      insertbefore: BOF
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_root_password_login

Disable SSH root Login with a Password (Insecure)

Description

Rationale

Remediation - Shell Script

Remediation - Ansible