The Red Hat Enterprise Linux unable to login as root via SSH after apply CIS Benchmarks
Environment
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- Red Hat Enterprise Linux 10
Issue
- Root account is unable to login via SSH after apply CIS RHEL Benchmarks.
- RHEL 9/10 still can not login after set 'PermitRootLogin yes' in /etc/ssh/sshd_config .
Resolution
- For RHEL 8 :
- Change the setting about PermitRootLogin to yes in /etc/ssh/sshd_config :
PermitRootLogin yes
- RHEL 9/10 :
- Change the setting about PermitRootLogin to yes in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.
- Or remove the line about PermitRootLogin in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf , then set it in /etc/ssh/sshd_config .
PermitRootLogin yes
- Then reload the
sshdservice:
# systemctl reload sshd
Root Cause
- As part of the CIS RHEL Benchmarks security hardening, root login via SSH will be disabled.
- In RHEL 8 profile, this setting will directly add or correct the line 'PermitRootLogin no' in /etc/ssh/sshd_config .
- But in RHEL 9/10, this setting will add or correct the line 'PermitRootLogin no' in /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf .
Diagnostic Steps
- Check the PermitRootLogin setting in /etc/ssh/sshd_config in RHEL 8:
# grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
# the setting of "PermitRootLogin without-password".
- But in RHEL 9/10, root still can not login via SSH when change the PermitRootLogin setting to yes in /etc/ssh/sshd_config:
$ grep PermitRootLogin etc/ssh/sshd_config
#PermitRootLogin prohibit-password
PermitRootLogin yes <=== yes
# the setting of "PermitRootLogin without-password".
- Check the CIS RHEL Benchmarks profile for RHEL 9, the /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml :
...
To disable root login via SSH, add or correct the following line in
<html:code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</html:code>:
<html:pre>PermitRootLogin no</html:pre>
...
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
# Insert at the beginning of the file
printf '%s\n' "PermitRootLogin no" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
...
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
create: true
regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
line: PermitRootLogin no
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
...
- And the RHEL 10 CIS RHEL Benchmarks profile is similar to RHEL 9, the /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml :
...
<xccdf-1.2:description>The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
<html:code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</html:code>:
<html:pre>PermitRootLogin no</html:pre> <===
...
mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
chmod 0600 /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
else
touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
# Insert at the beginning of the file
printf '%s\n' "PermitRootLogin no" > "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" <===
cat "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" >> "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
...
- name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
lineinfile:
path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf <===
create: true
regexp: (?i)(?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
line: PermitRootLogin no <===
state: present
insertbefore: BOF
validate: /usr/sbin/sshd -t -f %s
...
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments