Did You Know?
Donate to TecMint

LFCS - Linux Foundation Certified SysAdmin - Exam Preparation Guide

Disable or Enable SSH Root Login and Limit SSH Access in Linux

Download Your Free eBooks NOW - 10 Free Linux eBooks for Administrators

Today, everyone knows that Linux systems comes with root user access and by default the root access is enabled for outside world. For security reason it’s not a good idea to have ssh root access enabled for unauthorized users. Because any hacker can try to brute force your password and gain access to your system.

Disable Root Login

Disable SSH Root Login

So, its better to have another account that you regularly use and then switch to root user by using ‘su -‘ command when necessary. Before we start, make sure you have a regular user account and with that you su or sudo to gain root access.

In Linux, it’s very easy to create separate account, login as root user and simply run the ‘adduser‘ command to create separate user. Once user is created, just follow the below steps to disable root login via SSH.

We use sshd master configuration file to disable root login and this will may decrease and prevent the hacker from gaining root access to your Linux box. We also see how to enable root access again as well as how to limit ssh access based on users list.

Disable SSH Root Login

To disable root login, open the main ssh configuration file /etc/ssh/sshd_config with your choice of editor.

# vi /etc/ssh/sshd_config

Search for the following line in the file.

#PermitRootLogin no

Remove the ‘#‘ from the beginning of the line.  Make the line look like similar to this.

PermitRootLogin no

Next, we need to restart the SSH daemon service.

# /etc/init.d/sshd restart

Now try to login with root user, you will get “Access Denied” error.

login as: root
Access denied
root@172.31.41.51's password:

So, from now onwards login as normal user and then use ‘su’ command to switch to root user.

login as: tecmint
Access denied
tecmint@172.16.25.126's password:
Last login: Tue Oct 16 17:37:56 2012 from 172.16.25.125
[tecmint@tecmint ~]$ su -
Password:
[root@tecmint ~]#

Enable SSH Root Login

To enable ssh root logging, open the file /etc/ssh/sshd_config.

# vi /etc/ssh/sshd_config

Search for the following line and put the ‘#‘ at the beginning and save the file.

# PermitRootLogin no

Restart the sshd service.

# /etc/init.d/sshd restart

Now try to login with root user.

login as: root
Access denied
root@172.16.25.126's password:
Last login: Tue Nov 20 16:51:41 2012 from 172.16.25.125
[root@tecmint ~]#

Limit SSH User Logins

If you have large number of user accounts on the systems, then it makes sense that we limit remote access to those users who really need it. Open the /etc/ssh/sshd_config file.

# vi /etc/ssh/sshd_config

Add an AllowUsers line at the bottom of the file with a space separated by list of usernames. For example, user tecmint and sheena both have access to remote ssh.

AllowUsers tecmint sheena

Now restart ssh service.

Ravi Saive

Owner at TecMint.com
Simple Word a Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux.

Your name can also be listed here. Work as a Paid freelancer/writer at TecMint.
Download Free eBooks
Advanced Bash-Scripting Guide
Linux Bible
A Newbie's Getting Started Guide to Linux
Ubuntu Linux Toolbox: 1000+ Commands

9 Responses

  1. rahul says:

    hello. thank you for this.
    i like your article.
    you are very perfect in it.
    good luck

  2. Matt says:

    Hi Ravi,

    I have disabled the root SSH on CentOS with Cpanel.
    I need to reenable it but my other user now can’t access the # vi /etc/ssh/sshd_config

    User apparently does not have the sudo rights I guess..
    What can I do?

    Thank you

    • Ravi Saive says:

      Why you allowing your normal user to access sshd_config file?

    • Vien Mai says:

      You can open ssh session to the server with normal user then issue sudo su (On Ubuntu) to change to root then you can re-enable ssh for root. However, I have heard that login by root account over SSH is not encouraged due to security reason.

  3. k satyanarayana says:

    Need document of ” how to existing windows 2003 domain convert into Linux domain without distrubence of existing.

  4. Garik says:

    Hello!
    Thank you for yours very usefull articles. You are a master!

  5. Ilya says:

    There are steps in the article like this:

    Restart the sshd service.
    # /etc/init.d/sshd restart

    Restarting can kill existing SSH connections to the host.

    Instead of restarting when only reconfiguration is needed you can send SSHD process the SIGHUP signal with KILL command:

    sudo kill -s SIGHUP $SSHDPID

    You will need $SSHDPID, process ID for SSHD , it can be found by a command like

    ps -AF | grep /usr/sbin/sshd

  6. Rajgopal H.G. says:

    Excellent article. Even the first time Linux users can understand and implement it at one shot.!!

Leave a Reply

This work is licensed under a (cc) BY-NC | TecMint uses cookies. By using our services, you comply to use of our cookies. More info: Privacy Policy.
© 2012-2014 All Rights Reserved.