Profile Applicability:
 • Level 1

Description:
The PermitRootLogin option in the SSH daemon (
sshd) configuration controls whether the root user can log in directly via SSH. Disabling direct root login reduces the risk of unauthorized privileged access.

Rationale:
 Preventing direct root login enforces the principle of least privilege by requiring users to authenticate as regular users before escalating privileges, enhancing system security.

Impact:
 Pros:

  • Reduces the attack surface for privileged accounts.

  • Encourages use of sudo or other privilege escalation mechanisms.

Cons:

  • May inconvenience administrators who rely on direct root access.

Default Value:
 Default settings vary; many systems enable root login by default or restrict it partially.

Pre-requisites:

  • Root or sudo privileges to modify SSH daemon configuration.

Remediation:

Test Plan:

Using Linux command line:

Check current PermitRootLogin setting in /etc/ssh/sshd_config:

grep ^PermitRootLogin /etc/ssh/sshd_config

  1. Verify it is set to no or prohibit-password.

Implementation Plan:

Using Linux command line:

Edit /etc/ssh/sshd_config:
vi /etc/ssh/sshd_config
Set PermitRootLogin to no:
PermitRootLogin no

Save the file and restart sshd:

systemctl restart sshd

Confirm the setting:

grep ^PermitRootLogin /etc/ssh/sshd_config

Backout Plan:

Using Linux command line:

  1. Re-enable root login if necessary by setting PermitRootLogin yes or other allowed values.

  2. Restart sshd and verify accessibility.

References: