Use case
SSH configuration audit with Blackglass
SSH is the primary management plane for most Linux infrastructure. A single misconfigured directive — PermitRootLogin, PasswordAuthentication, weak ciphers — can turn a hardened host into a liability. Blackglass keeps a continuous audit of every SSH directive across your fleet.
Why SSH audits are hard to sustain manually
sshd_configcan include fragment files from/etc/ssh/sshd_config.d/. Point-in-time reviews miss Include changes entirely.- Package upgrades sometimes ship a new default
sshd_configthat silently resets a directive you previously hardened. - Fleet size makes manual per-host review impractical. A 50-host spreadsheet goes stale within days.
- Auditors and frameworks (CIS, SOC 2, ISO 27001) routinely ask for SSH posture evidence. Screenshots and ad-hoc exports are not reproducible.
Common SSH misconfigurations Blackglass surfaces
| Directive | Risk | Why it matters |
|---|---|---|
| PermitRootLogin yes | HIGH | Allows direct root login over SSH, eliminating the audit trail of sudo and making brute-force attacks directly privileged. |
| PasswordAuthentication yes | HIGH | Enables password-based authentication. Combined with weak passwords or password reuse, this is a common initial access vector. |
| PermitEmptyPasswords yes | HIGH | Allows accounts with no password to authenticate. Should never appear on a production host. |
| X11Forwarding yes | MEDIUM | Increases attack surface for X11-related exploits. Rarely needed on server-class Linux hosts. |
| Weak MACs / Ciphers | MEDIUM | Older algorithms (arcfour, hmac-md5, diffie-hellman-group1) can be exploited by a network attacker. |
| MaxAuthTries not set (default 6) | LOW | Allows more guesses per connection than most hardening guides recommend (≤3). |
How Blackglass handles SSH auditing
- Full directive capture. On each scan, Blackglass collects the effective SSH configuration — including resolved
Includefragments — so the baseline reflects what sshd actually applies, not just the main file. - Baseline comparison. Each directive is compared to your approved baseline. New, removed, and changed directives are shown separately with their severity classification.
- Fleet-wide posture view. The SSH posture panel on the host detail view shows passing, warning, and failing checks at a glance. The fleet dashboard rolls this up across all managed hosts.
- Evidence export. Export a dated evidence bundle for a host or the whole fleet — including baseline diffs, operator notes, and remediation records — for audit or review submissions.
Related use cases
- Linux configuration drift detection — broader drift tracking beyond SSH.
- CIS benchmark monitoring — map SSH checks to CIS recommendations.
- Linux hardening monitoring — baseline capture and hardening evidence.
14-day trial · up to 10 hosts · no card required