diff --git a/defaults/main.yml b/defaults/main.yml index 0f4d4316..98ce9019 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -211,11 +211,11 @@ security_ssh_client_alive_interval: 900 # V-38608 # Timeout ssh sessions as soon as ClientAliveInterval is reached once security_ssh_client_alive_count_max: 0 # V-38610 # -# The ssh daemon must not permit root logins. The default value of 'yes' is a -# deviation from the STIG requirements due to how openstack-ansible operates, -# especially within OpenStack CI gate jobs. See documentation for V-38613 for -# more details. -security_ssh_permit_root_login: 'yes' # V-38613 +# The ssh daemon must not permit root logins. The default value of +# 'without-password' is a deviation from the STIG requirements due to how +# OpenStack-Ansible operates, especially within OpenStack CI gate jobs. See +# documentation for V-38613 for more details. +security_ssh_permit_root_login: 'without-password' # V-38613 ## Kernel # Set these booleans to 'yes' to disable the kernel module (following the diff --git a/doc/metadata/rhel6/V-38613.rst b/doc/metadata/rhel6/V-38613.rst index bd1c5284..5c89a689 100644 --- a/doc/metadata/rhel6/V-38613.rst +++ b/doc/metadata/rhel6/V-38613.rst @@ -5,9 +5,9 @@ tag: sshd --- Although the STIG recommends disabling root logins via ssh, the default in -this role is to allow it. The openstack-ansible deployment uses the root -user by default at this time, but that may change later and allow for this -configuration to be set. +this role is to allow it with a key authentication. The OpenStack-Ansible +deployment uses the root user by default at this time, but that may change +later and allow for this configuration to be set. To disallow root logins via ssh, simply adjust this configuration variable: diff --git a/releasenotes/notes/sshd-permit-root-login-without-password-948ec79c6508c19b.yaml b/releasenotes/notes/sshd-permit-root-login-without-password-948ec79c6508c19b.yaml new file mode 100644 index 00000000..882da899 --- /dev/null +++ b/releasenotes/notes/sshd-permit-root-login-without-password-948ec79c6508c19b.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + ``PermitRootLogin`` in the ssh configuration has changed from + ``yes`` to ``without-password``. This will only allow ssh to be used + to authenticate root via a key.