← Rules Catalog
highaccess-controlverified rollback-safe

Disable SSH root login

ssh-disable-root-login · RHEL ≥ 8 · 2 impls

Description

The SSH daemon must not permit direct login as the root account. Root access must be obtained by authenticating as an individual user and then escalating privileges via sudo or su, ensuring accountability.

Rationale

Direct root login over SSH exposes the highest-privilege account to network brute-force attacks and eliminates the ability to attribute administrative actions to individual users. Disabling it enforces the principle of individual accountability and reduces the attack surface for remote compromise.

Check → Remediate

Checksshd_effective_config
key:
permitrootlogin
expected:
no
Remediateconfig_set
path:
/etc/ssh/sshd_config
key:
PermitRootLogin
value:
no
separator:
reload:
sshd

Framework references

CIS

rhel8 5.1.22rhel9 5.1.20rhel10 5.1.20

STIG

V-230296 / RHEL-08-010550V-257985 / RHEL-09-255045V-281265 / RHEL-10-700620

NIST 800-53

AC-6(2)AC-17(2)IA-2(5)

PCI-DSS v4

2.2.68.6.1

Live verification

rhel10:checkrhel8:checkrhel9:check
#ssh#authentication#remote-access#privileged-access