os_sshd_permit_root_login_configure remediation code appends "permitrootlogin no" #205

New Issue

Closed

opened 2026-01-19 18:29:38 +00:00 by michael · 7 comments

michael commented 2026-01-19 18:29:38 +00:00

Owner

Copy Link

Originally created by @cipineda on GitHub.

Originally assigned to: @brodjieski on GitHub.

Summary

The file created by the remediation code is appending the text "permitrootlogin no", each time the script is executed.

My file /etc/ssh/sshd_config.d/01-mscp-sshd.conf has 369 lines with the same text, I guess this is looping because of a previous issue (#194) I have open with you guys.

Steps to reproduce

This code, simply appends the text "permitrootlogin no", it does not check if the file is there and if the text already exists, it simply appends to it.

include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi echo "permitrootlogin no" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break

Operating System version

ProductName: macOS
ProductVersion: 13.1
BuildVersion: 22C5050e

ProductName: macOS
ProductVersion: 13.0.1
BuildVersion: 22A400

Intel or Apple Silicon

Intel based process and Apple Silicon Mac

What is the current bug behavior?

the file /etc/ssh/sshd_config.d/01-mscp-sshd.conf has 369 with the same text "permitrootlogin no"

What is the expected correct behavior?

The remediation script should validate if the text already exists, and then simply exit

Relevant logs and/or screenshots

Output of checks

cat /etc/ssh/sshd_config.d/01-mscp-sshd.conf | wc -l
369

cat 01-mscp-sshd.conf
permitrootlogin no
permitrootlogin no
permitrootlogin no
permitrootlogin no
permitrootlogin no
permitrootlogin no

Possible fixes

check if the text "permitrootlogin no" exists on the file, if yes, then do not add to the conf file

result_value=$(cat ${include_dir}01-mscp-sshd.conf | grep "permitrootlogin no" | wc -l | xargs) if [[ $result_value -eq 0 ]]; then echo "permitrootlogin no" >> "${include_dir}01-mscp-sshd.conf" fi

Originally created by @cipineda on GitHub. Originally assigned to: @brodjieski on GitHub. ### Summary The file created by the remediation code is appending the text "permitrootlogin no", each time the script is executed. My file /etc/ssh/sshd_config.d/01-mscp-sshd.conf has 369 lines with the same text, I guess this is looping because of a previous issue (#194) I have open with you guys. ### Steps to reproduce This code, simply appends the text "permitrootlogin no", it does not check if the file is there and if the text already exists, it simply appends to it. `include_dir=$(/usr/bin/awk '/^Include/ {print $2}' /etc/ssh/sshd_config | /usr/bin/tr -d '*') if [[ -z $include_dir ]]; then /usr/bin/sed -i.bk "1s/.*/Include \/etc\/ssh\/sshd_config.d\/\*/" /etc/ssh/sshd_config fi echo "permitrootlogin no" >> "${include_dir}01-mscp-sshd.conf" for file in $(ls ${include_dir}); do if [[ "$file" == "100-macos.conf" ]]; then continue fi if [[ "$file" == "01-mscp-sshd.conf" ]]; then break` ### Operating System version ProductName: macOS ProductVersion: 13.1 BuildVersion: 22C5050e ProductName: macOS ProductVersion: 13.0.1 BuildVersion: 22A400 ### Intel or Apple Silicon Intel based process and Apple Silicon Mac ### What is the current *bug* behavior? the file /etc/ssh/sshd_config.d/01-mscp-sshd.conf has 369 with the same text "permitrootlogin no" ### What is the expected *correct* behavior? The remediation script should validate if the text already exists, and then simply exit ### Relevant logs and/or screenshots ### Output of checks `cat /etc/ssh/sshd_config.d/01-mscp-sshd.conf | wc -l` 369 `cat 01-mscp-sshd.conf ` permitrootlogin no permitrootlogin no permitrootlogin no permitrootlogin no permitrootlogin no permitrootlogin no ### Possible fixes check if the text "permitrootlogin no" exists on the file, if yes, then do not add to the conf file `result_value=$(cat ${include_dir}01-mscp-sshd.conf | grep "permitrootlogin no" | wc -l | xargs) if [[ $result_value -eq 0 ]]; then echo "permitrootlogin no" >> "${include_dir}01-mscp-sshd.conf" fi`

michael closed this issue 2026-01-19 18:29:39 +00:00

michael commented 2026-01-19 18:29:39 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

this fix was merged into main. closing the issue.

@robertgendler commented on GitHub: this fix was merged into main. closing the issue.

michael commented 2026-01-19 18:29:39 +00:00

Author

Owner

Copy Link

@sambacha commented on GitHub:

This issue still exists

@sambacha commented on GitHub: This issue still exists

michael commented 2026-01-19 18:29:39 +00:00

Author

Owner

Copy Link

@brodjieski commented on GitHub:

The remediation script will only run the code if it has identified a failed check. If you are seeing that the remediation code continues to run, and is appending multiple entries, then the check still is not passing, and there is a misconfiguration on the system. Verify that your sshd configuration is not configured with permitrootlogin to be any other value than no.

This typically is the case if there is an entry for permitrootlogin defined in the /etc/ssh/sshd_config file prior to the Include directive, or an included config file that is processed before the 01-mscp-sshd.conf file with the entry present.

Use sudo /usr/sbin/sshd -T | /usr/bin/awk '/permitrootlogin/{print $2}' to ensure the return value is no.

If we were to add the test for the existence of permitrootlogin no to the 01-mscp-sshd.conf file, while it would help prevent multiple entries in the file, it wouldn't solve the issue of a misconfiguration. Seeing this duplicate entry in the file is a good indicator that something is not quite right with the setup.

@brodjieski commented on GitHub: The remediation script will only run the code if it has identified a failed check. If you are seeing that the remediation code continues to run, and is appending multiple entries, then the check still is not passing, and there is a misconfiguration on the system. Verify that your sshd configuration is not configured with `permitrootlogin` to be any other value than `no`. This typically is the case if there is an entry for `permitrootlogin` defined in the `/etc/ssh/sshd_config` file prior to the `Include` directive, or an included config file that is processed before the `01-mscp-sshd.conf` file with the entry present. Use `sudo /usr/sbin/sshd -T | /usr/bin/awk '/permitrootlogin/{print $2}'` to ensure the return value is `no`. If we were to add the test for the existence of `permitrootlogin no` to the `01-mscp-sshd.conf` file, while it would help prevent multiple entries in the file, it wouldn't solve the issue of a misconfiguration. Seeing this duplicate entry in the file is a good indicator that something is not quite right with the setup.

michael commented 2026-01-19 18:29:39 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

@sambacha what branch are you working off of? Because I'm not seeing this happen when using the most current

@robertgendler commented on GitHub: @sambacha what branch are you working off of? Because I'm not seeing this happen when using the most current

michael commented 2026-01-19 18:29:39 +00:00

Author

Owner

Copy Link

@golbiga commented on GitHub:

We're going to look into updating the ssh fix to prevent duplicates.

@golbiga commented on GitHub: We're going to look into updating the ssh fix to prevent duplicates.

michael commented 2026-01-19 18:29:39 +00:00

Author

Owner

Copy Link

@sambacha commented on GitHub:

Sonoma

@sambacha commented on GitHub: Sonoma

michael commented 2026-01-19 18:29:39 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

Still not seeing it. I've tried re-creating the issue and it's working fine and not duplicating "permitrootlogin no"

You'll need to provide either a copy of the rule file from your set up or screenshot or something?

@robertgendler commented on GitHub: Still not seeing it. I've tried re-creating the issue and it's working fine and not duplicating "permitrootlogin no" You'll need to provide either a copy of the rule file from your set up or screenshot or something?

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev_2.0_generate_mapping

dev_2.0

sequoia

sonoma

nist-pages

nist-pages-docs

ios_18

ios_26

ios_26_cmmc

dev_2.0_compliance_script

tahoe

visionos_26

dev_ios_26_stig

dev_visionOS_26_stig

dev_tahoe_adjustments

ios_17

dev_sequoia_bio

tahoe_578-typo-in-os_sshd_fips_compliantyaml-fix-code

ventura

ios_16

visionos_2

505-create-python-scp-library

monterey

big_sur

catalina

tahoe_rev2

sequoia_rev4

visionos26_rev2

ios26_rev2

tahoe_rev1

visionos26_rev1

ios26_rev1

sonoma_rev5

sequoia_rev3

ios18_rev3

ios17_rev4

ventura_rev6

sonoma_rev4

sequoia_rev2

visionos_rev2

ios18_rev2.0

ios16_rev4

sequoia_rev1.1

ventura_rev5.1

ios18_rev1.1

sonoma_rev3.1

sequoia_rev1

visionos_rev1

ios18_rev1

ios17_rev3

ios16_rev3

ventura_rev5

sonoma_rev3

ventura_rev4

sonoma_rev2

ios17_rev2

ios16_rev2

monterey_rev6

sonoma_rev1

ventura_rev3

monterey_rev5

ios16_rev1

ios17_rev1

big_sur_rev7

monterey_rev4

ventura_rev2

ventura_rev1.1

monterey_rev3.1

big_sur_rev6.1

ventura_rev1

monterey_rev3

big_sur_rev6

monterey_rev2

catalina_rev6

big_sur_rev5

monterey_rev1

big_sur_rev4

catalina_rev5

big_sur_rev3

catalina_rev4

big_sur_rev2

catalina_rev3

big_sur_rev1

catalina_rev2

catalina_rev1

v0.9

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#205