AlmaLinux OS 9 must not permit direct logons to the root account using remote access via SSH.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-269376 | SRG-OS-000109-GPOS-00056 | ALMA-09-034780 | SV-269376r1050259_rule | 2025-02-20 | 1 |
| Description |
|---|
| Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system. The root account is a known default username, so should not allow direct login as half of the username/password combination is known, making it vulnerable to brute-force password guessing attacks. |
| ℹ️ Check |
|---|
| Verify AlmaLinux OS 9 prevents users from logging on directly as "root" over SSH with the following command: $ sshd -T |grep -I permitrootlogin permitrootlogin no If the "PermitRootLogin" keyword is set to "yes" or "without-password", this is a finding. |
| ✔️ Fix |
|---|
| To configure the system to prevent users from logging on directly as root over SSH, add or modify the following line in "/etc/ssh/sshd_config": PermitRootLogin no Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file: $ echo "PermitRootLogin no" > /etc/ssh/sshd_config.d/root.conf Restart the SSH daemon for the settings to take effect: $ systemctl restart sshd.service |