Quick Summary
SSH Root Login Permitted is a security misconfiguration where the SSH service allows direct login as the root user. Permitting root-level remote authentication significantly increases the risk of complete system compromise if credentials are exposed or brute-forced.
Vulnerability Classification
| Field | Value |
|---|---|
| Vulnerability Type | SSH Privileged Access Misconfiguration |
| CWE ID | CWE-250 – Execution with Unnecessary Privileges |
| CVE ID | N/A (Configuration Issue) |
| CVSS 4.0 Base Score | 8.6 (High) |
| CVSS Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H |
| OWASP Category | A05:2021 – Security Misconfiguration |
| Attack Surface | Internal / External Network |
Affected Asset / Environment
- Service: SSH
- Default Port: 22
- Platforms: Linux, Unix Servers
- Testing Method: Black-box Network Assessment
- Tools Used: Nmap, SSH Client, Hydra
Description
The assessor observed that the SSH service running on the target system allows direct login as the root user. During testing, the SSH daemon accepted authentication attempts for the root account.
Root accounts possess unrestricted administrative privileges. Allowing direct root login over SSH removes the additional control layer provided by privilege escalation mechanisms such as sudo. If an attacker successfully compromises the root credentials, full system control is immediately obtained.
This configuration significantly increases the risk of total system compromise.
Root Cause
The issue occurs due to insecure SSH daemon configuration where root login is permitted.
Common root causes include:
PermitRootLogin yesconfigured in sshd_config- Default configuration not hardened
- Lack of secure baseline implementation
- Failure to enforce least privilege principle
Business Impact
Exploitation of this vulnerability may result in full administrative access to production servers. Attackers who obtain root credentials may modify system files, disable security controls, extract sensitive data, deploy malware, or pivot to other internal systems.
In enterprise environments, direct root compromise may lead to service outages, regulatory non-compliance, financial loss, and reputational damage.
Technical Impact
An attacker can:
- Authenticate directly as root
- Gain unrestricted shell access
- Modify system configurations
- Disable logging and security controls
- Install backdoors
- Escalate attacks across the internal network
Direct root login bypasses layered access control mechanisms.
Proof of Concept (PoC)
Step1: Identify SSH Service
nmap -sV -p 22 <target-ip>
If SSH is detected, proceed to authentication testing.
Step2: Attempt Direct Root Login
ssh root@<target-ip>
If the system prompts for password or key authentication for the root account, direct root login is enabled.
Step3: Enumerate SSH Configuration Methods
nmap -p 22 --script ssh-auth-methods <target-ip>
If authentication methods are returned for root and login is allowed, configuration is insecure.
Step4: Brute-force Risk Validation (Authorized Testing Only)
hydra -l root -P passwords.txt ssh://<target-ip>
If login attempts are processed for root account, exposure is confirmed.
Exploitation Prerequisites
- Network access to port 22
- SSH service enabled
- Root login permitted
- Weak or exposed root credentials
Remediation
It is recommended that direct root login over SSH be disabled immediately.
Recommended actions:
- Set
PermitRootLogin noin sshd_config - Enforce key-based authentication
- Use non-privileged accounts with sudo access
- Restrict SSH access to trusted IP addresses
- Implement multi-factor authentication
- Monitor failed login attempts
After modifying configuration, restart the SSH service to enforce changes.
Detection and Monitoring
- Monitor SSH logs for root login attempts
- Alert on repeated failed root authentication
- Implement intrusion prevention for brute-force behavior
- Conduct periodic configuration audits