Big Sur - Disable Root Login for SSH

Information

If SSH is enabled to assure individual accountability and prevent unauthorized access, logging in as root via SSH _MUST_ be disabled.

The macOS system MUST require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users _MUST_ never log in directly as root.

NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.

Solution

[source,bash]
----
/usr/bin/sed -i.bak 's/^[#]*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(5), CCE|CCE-85385-3, CCI|CCI-000770, STIG-ID|APPL-11-001100

Plugin: Unix

Control ID: ba9e25be04fe9b3479067a1274f6579fa84f54047f7880821880a7eb4c4d3b7b