Disable or Enable SSH Root Login and Limit SSH Access in Linux

Today, everyone knows that Linux systems comes with root user access and by default the root access is enabled for outside world. For security reason it’s not a good idea to have ssh root access enabled for unauthorized users. Because any hacker can try to brute force your password and gain access to your system.

Disable Root Login

Disable SSH Root Login

So, its better to have another account that you regularly use and then switch to root user by using ‘su –‘ command when necessary. Before we start, make sure you have a regular user account and with that you su or sudo to gain root access.

In Linux, it’s very easy to create separate account, login as root user and simply run the ‘adduser‘ command to create separate user. Once user is created, just follow the below steps to disable root login via SSH.

We use sshd master configuration file to disable root login and this will may decrease and prevent the hacker from gaining root access to your Linux box. We also see how to enable root access again as well as how to limit ssh access based on users list.

Disable SSH Root Login

To disable root login, open the main ssh configuration file /etc/ssh/sshd_config with your choice of editor.

# vi /etc/ssh/sshd_config

Search for the following line in the file.

#PermitRootLogin no

Remove the ‘#‘ from the beginning of the line.  Make the line look like similar to this.

PermitRootLogin no

Next, we need to restart the SSH daemon service.

# /etc/init.d/sshd restart

Now try to login with root user, you will get “Access Denied” error.

login as: root
Access denied
[email protected]'s password:

So, from now onwards login as normal user and then use ‘su’ command to switch to root user.

login as: tecmint
Access denied
[email protected]'s password:
Last login: Tue Oct 16 17:37:56 2012 from
[[email protected] ~]$ su -
[[email protected] ~]#

Enable SSH Root Login

To enable ssh root logging, open the file /etc/ssh/sshd_config.

# vi /etc/ssh/sshd_config

Search for the following line and put the ‘#‘ at the beginning and save the file.

# PermitRootLogin no

Restart the sshd service.

# /etc/init.d/sshd restart

Now try to login with root user.

login as: root
Access denied
[email protected]'s password:
Last login: Tue Nov 20 16:51:41 2012 from
[[email protected] ~]#

Limit SSH User Logins

If you have large number of user accounts on the systems, then it makes sense that we limit remote access to those users who really need it. Open the /etc/ssh/sshd_config file.

# vi /etc/ssh/sshd_config

Add an AllowUsers line at the bottom of the file with a space separated by list of usernames. For example, user tecmint and sheena both have access to remote ssh.

AllowUsers tecmint sheena

Now restart ssh service.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Ravi Saive

I am Ravi Saive, creator of TecMint. A Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux. Follow Me: Twitter, Facebook and Google+

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide
The Complete Linux System Administrator Bundle
Become an Ethical Hacker Bonus Bundle

You may also like...

17 Responses

  1. Chris Marabate says:

    Nevermind I was getting hacked while I was trying to do this and that was the cause of all my issues. It worked great on the new server I ended up having to install. Sorry about all the comments!

    • Ravi Saive says:


      Thanks for the latest update, you almost scared me, even I am wondering what’s wrong with my article how its broken your server…..

  2. Chris Marabate says:

    Oh no this is worse than I thought, it appears to have completely broken my server. All my sites are giving me Apache HTTP server error pages. I need help as soon as possible. How could this have broken my server? I can still access the server with Webmin and from the server directly, apache web server is still running.. I don’t understand how just changing the root user permission and changing it back messed everything up so bad.

  3. Chris Marabate says:

    After I disabled root access, I can no longer connect via SSH at all with either Putty or WinSCP. I get the following error before I even get to type in my username… “Network error: Software caused connection abort”

    I even went back and re-enabled root access but it didn’t work, I still can’t access my server using SSH.

    I would appreciate any advice anyone has for me.



  4. Ermir says:

    Hi Ravi,
    I have limitet access for a user to access only his home folder on SFTP(tutorial –> https://www.linode.com/docs/tools-reference/tools/limiting-access-with-sftp-jails-on-debian-and-ubuntu).But now i can’t login via putty with this user.What’s going wrong?
    I put “AllowUsers username” at the botom of sshd_config but still nothing.Please help?

  5. Rajgopal H.G. says:

    Excellent article. Even the first time Linux users can understand and implement it at one shot.!!

  6. Ilya says:

    There are steps in the article like this:

    Restart the sshd service.
    # /etc/init.d/sshd restart

    Restarting can kill existing SSH connections to the host.

    Instead of restarting when only reconfiguration is needed you can send SSHD process the SIGHUP signal with KILL command:

    sudo kill -s SIGHUP $SSHDPID

    You will need $SSHDPID, process ID for SSHD , it can be found by a command like

    ps -AF | grep /usr/sbin/sshd

  7. Garik says:

    Thank you for yours very usefull articles. You are a master!

  8. k satyanarayana says:

    Need document of ” how to existing windows 2003 domain convert into Linux domain without distrubence of existing.

  9. Matt says:

    Hi Ravi,

    I have disabled the root SSH on CentOS with Cpanel.
    I need to reenable it but my other user now can’t access the # vi /etc/ssh/sshd_config

    User apparently does not have the sudo rights I guess..
    What can I do?

    Thank you

    • Ravi Saive says:

      Why you allowing your normal user to access sshd_config file?

    • Vien Mai says:

      You can open ssh session to the server with normal user then issue sudo su (On Ubuntu) to change to root then you can re-enable ssh for root. However, I have heard that login by root account over SSH is not encouraged due to security reason.

  10. rahul says:

    hello. thank you for this.
    i like your article.
    you are very perfect in it.
    good luck

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.