Profile Applicability:
• Level 1
Description:
The PermitRootLogin option in the SSH daemon (sshd) configuration controls whether the root user can log in directly via SSH. Disabling direct root login reduces the risk of unauthorized privileged access.
Rationale:
Preventing direct root login enforces the principle of least privilege by requiring users to authenticate as regular users before escalating privileges, enhancing system security.
Impact:
Pros:
Reduces the attack surface for privileged accounts.
Encourages use of sudo or other privilege escalation mechanisms.
Cons:
May inconvenience administrators who rely on direct root access.
Default Value:
Default settings vary; many systems enable root login by default or restrict it partially.
Pre-requisites:
Root or sudo privileges to modify SSH daemon configuration.
Remediation:
Test Plan:
Using Linux command line:
Check current PermitRootLogin setting in /etc/ssh/sshd_config:
grep ^PermitRootLogin /etc/ssh/sshd_config
Verify it is set to no or prohibit-password.
Implementation Plan:
Using Linux command line:
Edit /etc/ssh/sshd_config: vi /etc/ssh/sshd_config Set PermitRootLogin to no: PermitRootLogin no
Save the file and restart sshd:
systemctl restart sshd
Confirm the setting:
grep ^PermitRootLogin /etc/ssh/sshd_config
Backout Plan:
Using Linux command line:
Re-enable root login if necessary by setting PermitRootLogin yes or other allowed values.
Restart sshd and verify accessibility.
References: