Harden the SSH daemon
The SSH server still allows root logins and password auth, the two settings every attacker hopes to find. Lock down sshd_config to key-only, no-root access.
Scenario
web1's sshd_config is still close to the install defaults: root can log in directly and
password authentication is on. Together those are the single most common way servers get
compromised. Harden it.
Your job
Edit sshd_config so that:
- root cannot log in over SSH (
PermitRootLogin no) - only SSH keys are accepted, not passwords (
PasswordAuthentication no) - accounts with empty passwords are refused (
PermitEmptyPasswords no)
How it's graded
Structural check on the directives (we read the effective sshd_config, not a live login). sshd uses
the first value it sees for each keyword, so set each one once and cleanly.
Teaches: SSH server hardening, the first checklist item in every server-hardening and CIS benchmark.
What gets checked
Your solution is verified against each of these:
- PermitRootLogin is set to no
- PasswordAuthentication is set to no (key-only)
- PermitEmptyPasswords is set to no
Solve it in your browser
No setup, no install. Write your solution in the editor and hit Check. The in-house engine renders and grades it instantly, then issues your proof the moment every check passes.
Solve in browser →Prefer your own lab?
- Build the fix locally. New to the tooling? See setting up your lab.
- Push your topology file, device configs, and any playbooks to a public repo (GitHub or GitLab).
- Submit the repo link. We review it by hand, confirm it works, and issue your proof page.