How do I block access to root user over ssh session on my Linux server? How can I block root user log in over ssh based session for security reasons?
The sshd (OpenSSH Daemon) is the daemon program for ssh. Server side ssh configuration is defined in /etc/ssh/sshd_config file on Linux operating system. The ssh is the client program for sshd daemon. You need to use DenyUsers option to block access to root user on Linux. Another option to block root user access is to set PermitRootLogin to no in sshd_config file.
Procedure for disabling SSH login for root user
To disable SSH logins for the root account:
- Log in to the Linux or Unix server using ssh: ssh user@your-server
- Edit the /etc/ssh/sshd_config file using vi
- Set PermitRootLogin no to disable SSH logins for root
- Save and close the file
- Reload sshd server in order to deny root log in
Let us see all steps in details.
Linux OpenSSH server deny root user access / log in
DenyUsers option can block any user. This option can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID (UID) is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.
Open /etc/ssh/sshd_config file
Use the vi command command to edit /etc/ssh/sshd_config file, run:
# vi /etc/ssh/sshd_config
Deny root user access
Append or modify as follows to block root user:
If you want to block additional user just append names to DenyUsers
DenyUsers root, user2, user3
Save and close the file. Restart sshd service:
$ sudo service sshd restart
For systemd based system:
$ sudo systemctl restart sshd
OpenSSH deny root user using PermitRootLogin option
This option specifies whether root can log in using ssh. The syntax is:
The option must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password. For example, to deny root log in over ssh set it as follows in your sshd_config file:
Once again, restart or reload sshd service:
sudo systemctl restart ssh
Run ssh command as follows:
You should see an error as follows:
email@example.com: Permission denied (publickey).
You can now only log in as normal or non-root user:
Next use sudo command or su command to gain a root shell access:
This page explained how to disable and deny SSH login for the root user running on Linux. For more info see sshd_config man page here. However, I strongly suggest that you set up SSH keys for log in. See:
- How To Setup SSH Keys on a Linux / Unix System
- SSH Public Key Based Authentication on a Linux/Unix server
- OpenSSH security best practices