Detections
Analytics

3.6.2.2 OpenSSH - PermitRootLogin

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The recommendation is to edit the /etc/ssh/sshd_config file to disable direct root login. Direct root login via SSH (using password) was enabled by default with prior versions of OpenSSH. To be absolutely certain direct login using a password is disabled the recommendation is to set this variable specifically rather than rely on a new, changeable, default. In other words, never rely on default values!!!

Rationale:

All root access should be facilitated through a local logon with a unique and identifiable user ID and then via the su command once locally authenticated.

Direct root login using passwords is insecure and does not provide sufficient logging or audit trailing for accountability.

Accountability can be achieved using PKI keys and sufficient log information to syslog.

Impact:

One setting would be to block all root access (by assinging the value no to PermitRootLogin.). While this sounds simple - setting the attribute to no requires either sharing a root password (to use su), the installation of sudo, or a configuration using extended RBAC for actions that require enhanced privileges.

Considering the recommendation 3.2.6.9 - Configuring SSH - set LogLevel to INFO specifies a LOG_LEVEL of INFO or DEBUG a setting of prohibit-password is acceptable. In short, unless no is required by local corporate policy the preferred setting is to disable root login using a password and verify that OpenSSH logging is at least at level INFO.

See Additional Info for an example of how root login can be accounted.

Note: only public keys in the file ~root/.ssh/authorized_keys will be able to connect.

Solution

#!/usr/bin/ksh
PREFERRED_SETTING='prohibit-password'
umask 077
set $(/usr/bin/egrep '^PermitRootLogin' /etc/ssh/sshd_config)
echo $?
if [[ ! -z $1 ]]; then
 # Look for a setting and change to no if anything else
 if [[ $2 != ${PREFERRED_SETTING} ]]; then
 sed 's/^PermitRootLogin {1}[^ ]{1,}/PermitRootLogin ${PREFERRED_SETTING}/' /etc/ssh/sshd_config >/tmp/sshd_config.$$
 fi
else
 # Look for a comment and append
 sed '/^# {0,}PermitRootLogin/ a^JPermitRootLogin ${PREFERRED_SETTING}/' /etc/ssh/sshd_config >/tmp/sshd_config.$$
fi

if [[ -e /tmp/sshd_config.$$ ]]; then
 diff -u /tmp/sshd_config.$$ /etc/ssh/sshd_config
 rm /tmp/sshd_config.$$
elif
 # Verify setting is specified
 /usr/bin/egrep '^PermitRootLogin' /etc/ssh/sshd_config >>/dev/null
 if [[ $? -ne 0 ]]; then
 print 'PermitRootLogin ${PREFERRED_SETTING}' >> /etc/ssh/sshd_config
 fi
fi

Re-cycle the sshd daemon to pick up the configuration changes:

stopsrc -s sshd
sleep 5
startsrc -s sshd

Default Value:

PermitRootLogin prohibit-password

Additional Information:

The values for this parameter have been yes (not recommended), no (not recommended, but accepted), prohibit-password (recommended setting), forced-commands-only (not recommended, but accepted) and without-password (deprecated setting).

Man Page extract

PermitRootLogin:

Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password. If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive authentication are disabled for root. If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root. If this option is set to no, root is not allowed to log in.

To resolve accountability for who is logging in as root using publickey authentication together with LogLevel INFO (minimum) provides the following syslog information:

Jun 25 09:26:41 x071 auth|security:info sshd[8323282]: Accepted publickey for michael from 192.168.129.11 port 54278 ssh2: RSA SHA256:dRHxa5CGr5HCdC89suwYIBtAT8lyogz4SErSxTq0JXk

Jun 25 09:26:52 x071 auth|security:info sshd[8847396]: Accepted publickey for root from 192.168.129.11 port 54279 ssh2: RSA SHA256:dRHxa5CGr5HCdC89suwYIBtAT8lyogz4SErSxTq0JXk

Jun 25 09:26:53 x071 auth|security:info sshd[9044142]: Accepted publickey for root from 192.168.129.11 port 54280 ssh2: RSA SHA256:dRHxa5CGr5HCdC89suwYIBtAT8lyogz4SErSxTq0JXk

See Also

https://workbench.cisecurity.org/files/3525

Item Details

References: CSCv7|4.3

Plugin: Unix

Control ID: ad853a0c51088d79cf773a800ffa62be9a00c0b509fcd2b38bf6ba8b4bd16534