iCompaas Support

Profile Applicability:
 • Level 1

Description:
The PermitRootLogin option in the SSH daemon (sshd) configuration controls whether the root user can log in directly via SSH. Disabling direct root login reduces the risk of unauthorized privileged access.

Rationale:
 Preventing direct root login enforces the principle of least privilege by requiring users to authenticate as regular users before escalating privileges, enhancing system security.

Impact:
 Pros:

• Reduces the attack surface for privileged accounts.
  
  

• Encourages use of sudo or other privilege escalation mechanisms.
  
  

Cons:

• May inconvenience administrators who rely on direct root access.
  
  

Default Value:
 Default settings vary; many systems enable root login by default or restrict it partially.

Pre-requisites:

• Root or sudo privileges to modify SSH daemon configuration.
  
  

Remediation:

Test Plan:

Using Linux command line:

Check current PermitRootLogin setting in /etc/ssh/sshd_config:

grep ^PermitRootLogin /etc/ssh/sshd_config

1. Verify it is set to no or prohibit-password.
   
   

Implementation Plan:

Using Linux command line:

Edit /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
Set PermitRootLogin to no:
PermitRootLogin no

Save the file and restart sshd:

systemctl restart sshd

Confirm the setting:

grep ^PermitRootLogin /etc/ssh/sshd_config

Backout Plan:

Using Linux command line:

1. Re-enable root login if necessary by setting PermitRootLogin yes or other allowed values.
   
   

2. Restart sshd and verify accessibility.
   
   

References:

• NIST SP 800-53 Revision 5 - AC-6