{"description": "To disable password-based root logins over SSH, add or correct the following line in\n\n\n<tt>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</tt>:\n\n<pre>PermitRootLogin prohibit-password</pre>", "rationale": "Even though the communications channel may be encrypted, an additional\nlayer of security is gained by preventing use of a password.\nThis also helps to minimize direct attack attempts on root's password.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "it is commented out or not configured properly", "ocil": "To determine how the SSH daemon's <tt>PermitRootLogin</tt> option is set, run the following command:\n\n<pre>$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</pre>\n\n\nIf a line indicating <tt>prohibit-password</tt> is returned, then the required value is set.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "While this disables password-based root logins, direct root logins\nthrough other means such as through SSH keys or GSSAPI will still be\npermitted. Permitting any sort of root login remotely opens up the\nroot account to attack.\nTo fully disable direct root logins over SSH (which is considered a\nbest practice) and prevent remote attacks against the root account,\nsee CCE-27100-7, CCE-27445-6, CCE-80901-2, and similar."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable SSH root Login with a Password (Insecure)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_password_login/rule.yml", "template": {"name": "sshd_lineinfile", "vars": {"parameter": "PermitRootLogin", "value": "prohibit-password", "datatype": "string"}, "backends": {}}}