How do I disable remote root login via ssh?

ssh security root

8,775

Solution 1

I'm going to take a guess on this one, but I'm pretty confident.

I bet there's a PermitRootLogin yes line already in your file. SSH will only use the first line it finds, and will ignore a duplicate further down. So if you just added PermitRootLogin no to the end of the file without removing the line above, there will be no effect.

Solution 2

One of the peculiarities of ssh is that PAM-based authentication can't be fully controlled by it directly. You should check the PAM stack /etc/pam.d/sshd; I would add pam_access to the auth section (see pam_access(8) and access.conf(5) manual pages).

That said, PermitRootLogin No should work regardless. (PermitRootLogin without-password is the screw case.)

8,775

tshepang

I do software development for a living and as a hobby. My favorite language is Rust, and I've used Python much in the past. My OS of choice is Debian.

Updated on September 17, 2022

Comments

tshepang over 1 year

How do I disable remote root login via ssh?

I want to log into my server (I use keys on my main comp) then su into root instead of access root directly.

I am using Debian. I follow guides online which say add PermitRootLogin no to the file and another mention Protocol 2. Then reset ssh. /etc/init.d/ssh restart. I did this and it did not work. I was able to log into root using putty.

How do I disable remote root login on Debian?
- mattdm about 13 years
  
  While you're at it, by the way, I suggest setting PasswordAuthentication no and ChallengeResponseAuthentication no, so that keys are required.
- mattdm about 13 years
  
  And you can also set AllowUsers acidzombie, so that only that account can log in.
- Admin about 13 years
  
  @mattdm: Why require keys? I rather not have keys as if someone grabs my computer or somehow gets access to my private keys he could log in. I just have keys going into my account (which really is the same password as root but i type less) then su into it
- mattdm about 13 years
  
  @acidzombie24: Keys because passwords can get brute forced, or stolen should the machine get compromised. Set a passphrase on your key, which will allow you time to change the authorized_keys if it's stolen.
- Admin about 13 years
  
  @mattd: Isnt that redundant? Putting a password on my private keys instead of using that same password to log into my server? I rather use a password on server in case i am using someone elses machine.
- mattdm about 13 years
  
  @acidzombie24: that's definitely more convenient, but how do you know their terribly-maintained windows system doesn't have a botnet with a keylogger looking for ssh passwords? Passphrases are not redundant because they don't ever leave your system. And you can use ssh-agent to make them more convenient (ideally with that cleared on screen lock or after a duration).
- Admin about 13 years
  
  @mattdm: Why dont you change your comment to an answer so ppl can upvote them. Good point but then how do i login to my server on a terribly-maintained comp with a keylogger? I looked up ssh-agent and i am unsure how it will be useful. As a note i use winscp, putty and store my passwords unprotected and use putty to log me into certain accounts. One account is my backup user which only has permissions for one directory which is where a cron job copies backups to. (i have windows task run a local script using winscp to retrieve it)
- Admin about 13 years
  
  @mattdm: Even though i accepted an answer i am still interested in how you would set this up. So right now i use unprotected prv keys to acidzombie which has same password as root. Then loginto root using su and said password. I win putty and winscp. I would like to know what you suggest with your key technique and on logging in when using a machine with a keylogger/other ppls comp
- mattdm about 13 years
  
  Simple: I avoid logging on to my machine from other people's computers. If I don't have my laptop, I use my phone. But this is all really a separate question. Another approach would be to use one-time codes or a software/hardware token.
- Admin about 13 years
  
  @mattdm: I was thinking about another question. Alright, ETA is <20mins from now. How would you ever log in via your phone? or create the one time codes?
Aleh about 13 years

+1 but wrong. After i did a search and found only that one line, i moved it to the very top of the file. Saved, restart ssh and tried logging in. It still allowed me :(
mattdm about 13 years

@acidzombie24: Well, that's curious. Anything interesting logged? Just to be double-sure ("Is your computer plugged in?"), you're editing sshd_config, not ssh_config, right?
mattdm about 13 years

(And FWIW, ChallengeResponseAuthentication no is the solution to that "screw case".)
Aleh about 13 years

That was it, sshd_config. I didnt see it nor realize that the sites said to modify sshd. It didnt help when it said fine the lines with XYZ when the said lines are also in ssh_config. Problem solved.
geekosaur about 13 years

Usually, but not always. You may want to use PAM auth for S/Key / Opie (which at least some security regimes don't consider a "password"), SecurID, or other authentication mechanisms that ssh can't use directly.