6.2.8 Disable SSH Root Login

Information

The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no.

Rationale:

Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident

Solution

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

PermitRootLogin no

Default Value:

OS Default: No

See Also

https://workbench.cisecurity.org/files/3096

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(9), CSCv7|4.3

Plugin: Unix

Control ID: ce04ffff2fb5f7e81540f7f1d62162e68918fac6712715c9b4312371303fad9d