Linux OpenSSH server deny root user access / log in nixCraft Updated Tutorials/Posts

How do I block access to root user over ssh session on my Linux server? How can I block root user log in over ssh based session for security reasons?

The sshd (OpenSSH Daemon) is the daemon program for ssh. Server side ssh configuration is defined in /etc/ssh/sshd_config file on Linux operating system. The ssh is the client program for sshd daemon. You need to use DenyUsers option to block access to root user on Linux. Another option to block root user access is to set PermitRootLogin to no in sshd_config file.

Procedure for disabling SSH login for root user

To disable SSH logins for the root account:

  1. Log in to the Linux or Unix server using ssh: ssh [email protected]
  2. Edit the /etc/ssh/sshd_config file using vi
  3. Set PermitRootLogin no to disable SSH logins for root
  4. Save and close the file
  5. Reload sshd server in order to deny root log in

Let us see all steps in details.

Linux OpenSSH server deny root user access / log in

DenyUsers option can block any user. This option can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID (UID) is not recognized. By default, login is allowed for all users. If the pattern takes the form [email protected] then USER and HOST are separately checked, restricting logins to particular users from particular hosts.

Open /etc/ssh/sshd_config file

Use the vi command command to edit /etc/ssh/sshd_config file, run:
# vi /etc/ssh/sshd_config

Deny root user access

Append or modify as follows to block root user:
DenyUsers root
If you want to block additional user just append names to DenyUsers
DenyUsers root, user2, user3
Save and close the file. Restart sshd service:
#/etc/init.d/sshd restart
OR
$ sudo service sshd restart
For systemd based system:
$ sudo systemctl restart sshd

OpenSSH deny root user using PermitRootLogin option

This option specifies whether root can log in using ssh. The syntax is:
PermitRootLogin {option}
The option must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password. For example, to deny root log in over ssh set it as follows in your sshd_config file:
PermitRootLogin no
Once again, restart or reload sshd service:
sudo systemctl restart ssh

Test it

Run ssh command as follows:
ssh [email protected]
ssh [email protected]

You should see an error as follows:

[email protected]: Permission denied (publickey).

You can now only log in as normal or non-root user:
ssh [email protected]
Next use sudo command or su command to gain a root shell access:
sudo -i
OR
su -
Linux deny root user access

Conclusion

This page explained how to disable and deny SSH login for the root user running on Linux. For more info see sshd_config man page here. However, I strongly suggest that you set up SSH keys for log in. See:

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Posted by Web Monkey

Leave a Reply