Create an SSH Root Access Policy for Linux

The SSH Root Access policy governs whether the root user can remotely log in to a system via SSH. This is a critical security setting, as enabling root login can expose systems to potential unauthorized access. This policy gives you an easy way to mass-control the PermitRootLogin configuration on your Linux devices.

Prerequisites:

• The policy is applied only if the SSH daemon (sshd) is installed on the device.
  • To install an SSH server on a Linux device, use the package manager specific to your distribution:
    • Debian/Ubuntu/Linux Mint (Cinnamon)/Pop!_OS: sudo apt install openssh-server
    • Fedora/CentOS/RHEL: sudo dnf install openssh-server
    • Amazon Linux: sudo yum install openssh-server
    • Rocky Linux: sudo dnf install openssh-server

Considerations:

• It is highly recommended to disable root login and use a non-root user for SSH access. Enabling root login via SSH can expose devices to brute-force attacks or unauthorized access, particularly if strong passwords or key-based authentication are not enforced.
• Consider using a non-root user with sudo privileges for remote management, which improves security by limiting access to sensitive system functions.
• Ensure that alternate user accounts with appropriate privileges are configured before disabling root access to avoid being locked out of critical systems.

To create a Control SSH Root Access policy:

1. Log in to the JumpCloud Admin Portal.
2. Go to DEVICE MANAGEMENT > Policy Management.
3. In the All tab, click (+).
4. On the New Policy panel, select the Linux tab.
5. Find the SSH Root Access policy from the list, then click configure.
6. Under Settings, choose whether to allow SSH root login with the Allow SSH Root Login setting:
   • Checked (enabled): Root login via SSH will be allowed on the target devices.
   • Unchecked (disabled): Root login via SSH will be disallowed, which is generally considered a best practice to prevent potential security risks.
7. (Optional) Select the Device Groups tab. Choose one or more device groups where you’ll apply this policy.
8. (Optional) Select the Devices tab. Choose one or more devices where you’ll apply this policy.
9. Click save. When the policy is saved, it will be automatically enforced on the target systems where the SSH daemon is present.

To verify the root's permission on a device, enter the following command in the sshd_config file: sudo grep PermitRootLogin /etc/ssh/sshd_config. A response of PermitRootLogin no means that root access has been denied.