5.2.8 Ensure SSH root login is disabled


The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident


Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no

See Also