4.5.3.5 sshd_config: PermitRootLogin is 'prohibit-password' or 'no'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The recommendation is to edit the /etc/ssh/sshd_config file to disable direct root login. Direct root login via SSH was enabled by default with prior versions of OpenSSH. To be absolutely certain direct login is disabled the recommendation is to set this variable specifically rather than rely on a new, changeable, default.

Rationale:

All root access should be facilitated through a local logon with a unique and identifiable user ID and then via the su command once locally authenticated.

Direct root login using passwords is insecure and does not provide sufficient logging or audit trailing for accountability.

Impact:

While this sounds simple - setting the attribute to no requires either sharing a root password (to use su), the installation of sudo, or a configuration using extended RBAC for actions that require enhanced privileges.

The recommendation .... specifies a LOG_LEVEL of INFO or DEBUG.

To resolve, partially, the accountability concerns, permitting publickey authentication as root together with LogLevel INFO (minimum) provides the following syslog information:

Jun 25 09:26:41 x071 auth|security:info sshd[8323282]: Accepted publickey for michael from 192.168.129.11 port 54278 ssh2: RSA SHA256:dRHxa5CGr5HCdC89suwYIBtAT8lyogz4SErSxTq0JXk

Jun 25 09:26:52 x071 auth|security:info sshd[8847396]: Accepted publickey for root from 192.168.129.11 port 54279 ssh2: RSA SHA256:dRHxa5CGr5HCdC89suwYIBtAT8lyogz4SErSxTq0JXk

Jun 25 09:26:53 x071 auth|security:info sshd[9044142]: Accepted publickey for root from 192.168.129.11 port 54280 ssh2: RSA SHA256:dRHxa5CGr5HCdC89suwYIBtAT8lyogz4SErSxTq0JXk

Local site policy might decide that publickey accountability is sufficient and a setting of PermitRootLogin prohibit-password (the new default) provides sufficient accountability and security.

Note: only public keys in a file such as ~root/.ssh/authorized_keys will be able to connect.

Solution

#!/usr/bin/ksh
PREFERRED_SETTING='prohibit-password'
umask 077
set $(/usr/bin/egrep '^PermitRootLogin' /etc/ssh/sshd_config)
echo $?
if [[ ! -z $1 ]]; then
# Look for a setting and change to no if anything else
if [[ $2 != ${PREFERRED_SETTING} ]]; then
sed 's/^PermitRootLogin {1}[^ ]{1,}/PermitRootLogin ${PREFERRED_SETTING}/' /etc/ssh/sshd_config >/tmp/sshd_config.$$
fi
else
# Look for a comment and append
sed '/^# {0,}PermitRootLogin/ a^JPermitRootLogin ${PREFERRED_SETTING}/' /etc/ssh/sshd_config >/tmp/sshd_config.$$
fi

if [[ -e /tmp/sshd_config.$$ ]]; then
diff -u /tmp/sshd_config.$$ /etc/ssh/sshd_config
rm /tmp/sshd_config.$$
elif
# Verify setting is specified
/usr/bin/egrep '^PermitRootLogin' /etc/ssh/sshd_config >>/dev/null
if [[ $? -ne 0 ]]; then
print 'PermitRootLogin ${PREFERRED_SETTING}' >> /etc/ssh/sshd_config
fi
fi

Re-cycle the sshd daemon to pick up the configuration changes:

stopsrc -s sshd
sleep 5
startsrc -s sshd

Default Value:

PermitRootLogin prohibit-password

Additional Information:

The values for this parameter have been yes (not recommended), no (not recommended, but accepted), prohibit-password (recommended setting), forced-commands-only (not recommended, but accepted) and without-password (deprecated setting).

PermitRootLogin:

Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password. If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive authentication are disabled for root. If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root. If this option is set to no, root is not allowed to log in.

See Also

https://workbench.cisecurity.org/benchmarks/7851