Linux - System Preferences - Disable Remote Root Login (PermitRootLogin)

What the Root Login Disabler does

This Automox Worklet™ prevents direct SSH login to the root account on Linux endpoints. The Worklet configures the SSH daemon to reject authentication attempts for the root user by setting PermitRootLogin to no.

The Worklet removes any existing PermitRootLogin directives from /etc/ssh/sshd_config using sed, then appends PermitRootLogin no to the configuration file. Before restarting the SSH service, it validates the configuration syntax with sshd -t to prevent service disruption.

Administrators can still gain root access by logging in as a regular user and using sudo or su to elevate privileges. This approach provides better accountability through audit trails of which user performed administrative actions.

Why disable direct root SSH access

The root account exists on every Linux system, making it a predictable target for brute force attacks. Disabling direct root login forces attackers to guess both a valid username and password, significantly increasing attack difficulty.

Requiring administrators to log in as individual users before escalating to root creates an audit trail. System logs show which user account initiated a session before gaining root access, improving accountability and forensic capabilities.

Most security frameworks and compliance standards require disabling direct root SSH access. CIS Benchmarks explicitly recommend setting PermitRootLogin to no. Organizations subject to SOC 2, PCI-DSS, or HIPAA typically implement this control as part of their security baseline.

How root login disabling works

1. Evaluation phase: The Worklet verifies that /etc/ssh/sshd_config exists. It parses the configuration to find the PermitRootLogin setting. If the value is not explicitly set to no, or if the setting is missing or empty, the endpoint is flagged for remediation.

2. Remediation phase: The Worklet uses sed to remove all existing PermitRootLogin lines from sshd_config. It appends PermitRootLogin no to the file, validates the configuration with sshd -t, and restarts the sshd service using systemctl restart sshd.

Root login configuration requirements

• SSH server installed with configuration at /etc/ssh/sshd_config

• Root or sudo privileges for configuration changes and service restart

• At least one non-root user account with sudo or su access configured

• Alternative access method (console, IPMI, cloud provider console) available for emergencies

Expected SSH access state after remediation

After successful remediation, SSH connections to the root account are rejected regardless of whether the correct password or key is provided. You can verify this by attempting to SSH as root, which should be denied, or by checking /etc/ssh/sshd_config for 'PermitRootLogin no'. Users attempting to SSH directly as root receive a Permission denied message. The /etc/ssh/sshd_config file contains PermitRootLogin no.

Administrators access the system by logging in as a regular user, then using sudo or su to gain root privileges. You can verify the setting by running grep PermitRootLogin /etc/ssh/sshd_config. The Automox Activity Log shows the configuration change and service restart confirmation.

How to validate disable remote root login (permitrootlogin) changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for disable remote root login (permitrootlogin).

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, function, check_PermitRootLogin.

4. Validate remediation effects from script operations such as exit, function, sed, then rerun evaluation for compliance.