Disallow SSH root login

Hi, when I run rkhunter it gives me:

Checking if SSH root access is allowed [ Warning ]

I researched this and found I needed to:

  • sudo gedit /etc/ssh/sshd_config

  • Search for the following line in the SSH configuration file:
    #PermitRootLogin no

  • I found:
    PermitRootLogin yes

  • Changed it to:
    PermitRootLogin no

BUT when I run rkhunter it still gives me the same warning.

I am just a happy home user of Rocky Linux workstation and so not an expert.

Is there anything else I should do to disallow ssh root login?

Any help is mucho appreciated.
Thanks ahead of time.

Did you restart the sshd service?

sudo systemctl restart sshd

2 Likes

I never understood this default in RHEL, and lack of warnings about it in the RHEL docs. It might be different in v9.

1 Like

The default in RHEL7 and lower was to permit root. From RHEL8 and higher, the default is either without-password or prohibit-password. However, this was no different to a lot of the other distros out there. At one point in time Debian as well as Ubuntu also had similar configuration before using one of the other methods. Some defaulted to the without one, and some to prohibit.

The newer two options allow you to put an SSH key under /root/.ssh/authorized_keys and you can then directly connect to the server via ssh as root. It just won’t allow password access. Otherwise, set permitroot to no to completely disable it, for ssh keys as well.

1 Like

without-password is synonym for prohibit-password. Older openssh had only the former. The latter sounds more intuitive, while both mean that root cannot login with password.

On installer of EL9 there is an opt-in checkbox, which – if selected – adds a file with PermitRootLogin yes to override the default PermitRootLogin prohibit-password. (On EL9 there is directory /etc/ssh/sshd_config.d/ where one can drop in customizations. The EL8 has a dir only for client customizations: /etc/ssh/ssh_config.d/ )

Do you ssh to your workstation, ever? If not, then you could disable the sshd.service. No process, no vulnerability.

2 Likes

@joebeasley3
Thanks for responding to my post.
I should have mentioned a few more things:

  • I dont wish to have ssh access enabled to my machine. I am a home user of the workstation and was trying to secure my machine.
  • I had edited sshd_config a few months ago and I restart my machine daily so I presume that would do have restarted the sshd service often
  • I had disabled sshd at that time as well

I was wondering why rkhunter would be warning me that ssh root access is enabled when I have done the above things…

@jlehtone
Thanks once again for taking the time to help out.

You are correct, I dont ssh to my workstation :slight_smile:
And a couple of months ago I tried to do as much as possible to secure my machine eg disallowing ssh access. I should have mentioned this in the first place.
At the time I had learned to do and did the following:
I had set “PermitRootLogin no” in sshd_config.
I had also disabled the sshd service.

Do you ssh to your workstation, ever? If not, then you could disable the sshd.service. No process, no vulnerability.

Thanks for confirming it is best to disable the sshd.service. No process, no vulnerability.

I just checked:

sudo systemctl status sshd

and got:

sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; vendor preset: enabled)
Active: inactive (dead)

Just to confirm, does this mean ssh is fully disabled? I ask because I do see an vendor preset: enabled in there as well.

But i was wondering when I had PermitRootLogin to no and had disabled ssh, why rkhunter was giving me the warning on ssh root access.

I don’t know “rkhunter” nor what it actually checks.

Yes. Some packages set service enabled, when you install it. Others have the “disabled” preset and you have to explicitly enable such service. The sshd is enabled by default, but you have properly disabled it.

1 Like

You can even uninstall sshd that way it can never be enabled or run

dnf remove openssh-server
1 Like

@jlehtone

I don’t know “rkhunter” nor what it actually checks.

Fair enough :slight_smile: I don’t mean to get support on rkhunter here on the Rocky Linux forum. I was just more concerned if I still have ssh root access allowed and you helped me with that.

Thanks for explaining what vendor preset means.

For anyone who finds this post searching for rkunter, I came across rkhunter from this article:

@iwalker
Thanks for pointing out that I can uninstall sshd and how to do it. I have removed it.

1 Like