AlmaLinux OS 9 must not permit direct logons to the root account using remote access via SSH.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269376 | ALMA-09-034780 | SV-269376r1050259_rule | CCI-004045 | medium |
| Description | ||||
| Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system. The root account is a known default username, so should not allow direct login as half of the username/password combination is known, making it vulnerable to brute-force password guessing attacks. | ||||
| STIG | Date | |||
| CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide | 2025-05-22 | |||
Details
Check Text (C-269376r1050259_chk)
Verify AlmaLinux OS 9 prevents users from logging on directly as "root" over SSH with the following command:
$ sshd -T |grep -I permitrootlogin
permitrootlogin no
If the "PermitRootLogin" keyword is set to "yes" or "without-password", this is a finding.
Fix Text (F-73308r1048505_fix)
To configure the system to prevent users from logging on directly as root over SSH, add or modify the following line in "/etc/ssh/sshd_config":
PermitRootLogin no
Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file:
$ echo "PermitRootLogin no" > /etc/ssh/sshd_config.d/root.conf
Restart the SSH daemon for the settings to take effect:
$ systemctl restart sshd.service