highaccess-controlverified ✓rollback-safe
Disable SSH root login
ssh-disable-root-login · RHEL ≥ 8 · 2 impls
Description
The SSH daemon must not permit direct login as the root account. Root access must be obtained by authenticating as an individual user and then escalating privileges via sudo or su, ensuring accountability.
Rationale
Direct root login over SSH exposes the highest-privilege account to network brute-force attacks and eliminates the ability to attribute administrative actions to individual users. Disabling it enforces the principle of individual accountability and reduces the attack surface for remote compromise.
Check → Remediate
Checksshd_effective_config
- key:
- permitrootlogin
- expected:
- no
Remediateconfig_set
- path:
- /etc/ssh/sshd_config
- key:
- PermitRootLogin
- value:
- no
- separator:
- reload:
- sshd
Framework references
CIS
rhel8 5.1.22rhel9 5.1.20rhel10 5.1.20
STIG
V-230296 / RHEL-08-010550V-257985 / RHEL-09-255045V-281265 / RHEL-10-700620
NIST 800-53
AC-6(2)AC-17(2)IA-2(5)
PCI-DSS v4
2.2.68.6.1
Live verification
rhel10:checkrhel8:checkrhel9:check
#ssh#authentication#remote-access#privileged-access