Professional Documents
Culture Documents
RH124 - ch10s05
RH124 - ch10s05
The default configuration of the OpenSSH server works well for many use cases. However, you might want to make some changes to strengthen the
security of your system. You might want to prohibit direct remote login to the root account, and you might want to prohibit password-based
authentication (in favor of SSH private key authentication).
The root username exists on every Linux system by default, so a potential attacker needs only to guess the password, instead of a valid
username and password combination. This scenario reduces complexity for an attacker.
The root user has unrestricted privileges, so its compromise can lead to maximum damage to the system.
From an auditing perspective, it can be hard to track which authorized user logged in as the root user and made changes. If users must log in as
a regular user and switch to the root account, then you can view a log event for accountability.
Important
Starting in Red Hat Enterprise Linux 9, the PermitRootLogin parameter is set to the prohibit-password value by default. This value
enforces the use of key-based authentication instead of passwords for logging in as the root user, and reduces the risk of brute-force
attacks.
The OpenSSH server uses the PermitRootLogin configuration setting in the /etc/ssh/sshd_config file to allow or prohibit users to log in to the
system as the root user, as in the following example:
PermitRootLogin yes
If the PermitRootLogin parameter is set to the yes value, then anyone can log in as the root user remotely. To prevent this situation, set the value
https://rha.ole.redhat.com/rha/app/courses/rh124-9.0/pages/ch10s05/85223ae4-a208-4a0c-8807-f8580dad018f 1/1
to no. Alternatively, to prevent password-based authentication but to allow private key-based authentication for root, set