How do I disable remote SSH login as root from a server?
Solution 1
I assume you meant logging in over SSH? Put the following line to /etc/ssh/sshd_config
:
PermitRootLogin no
If you want to deny certain users from logging in, put this in the configuration file:
DenyUsers root
This takes the blacklisting approach. Whitelisting is generally preferable. If your company needs to allow the rob
and admin
users log in on the server, use the following configuration directive:
AllowUsers rob admin
After making configuration file changes, restart the ssh service using the command:
sudo service ssh restart
See also the manual page.
Solution 2
Edit the file /etc/ssh/sshd_config
, look for
PermitRootLogin
and set it to no
.
Solution 3
The default configuration is for the root account to be locked so you can not log in as root remotely. You don't have to do anything else, unless you also want to make sure that you can not log in as root remotely by using an RSA key. Of course, if you don't want to do that, then just don't set up a root key.
Related videos on Youtube
Comments
-
Rob S. over 1 year
For security purposes my company wants me to not allow anyone to be able to log into our Ubuntu server as root remotely over SSH. We still want the root account to exist, we just do not want it to be able to be logged into remotely. How would I accomplish this?
Thank you very much in advance for your time.
-
Maxim Yefremov almost 10 yearsand
sudo service ssh restart
to take effect -
Chinmaya B over 7 yearsI don't see sshd_config file , I see this one /etc/ssh/ssh_config.
-
Lekensteyn over 7 years@ChinmayaB You have probably not installed the OpenSSH server. Try
sudo apt-get install openssh-server
-
andrewtweber over 7 yearsThat was not the default for my Linode Ubuntu 14.04 machine.
PermitRootLogin
was set toyes
and there was noAllowUsers
orDenyUsers
config line. Unless I am missing something, I don't think it is safe to assume it is locked by default -
psusi over 7 years@andrewtweber, root login is not prohibited via ssh config, but system wide by setting the root password to an invalid value that you can not enter. Thus, as I said, you can still ssh in as root using an RSA key, just not with a password.
-
andrewtweber over 7 yearsok thanks, can you add that explanation to your answer and then I'll be able to remove my downvote
-
psusi over 7 years@andrewtweber, it's already in my answer..
-
andrewtweber over 7 yearsyour explanation of how the root account is locked is not in your answer. Anyways I can't remove a downvote unless your answer is edited, so go ahead and be stubborn about it if you want
-
JGlass almost 6 yearsIf you do this without adding any users with
AllowUsers <username>
wouldn't this in effect allow no one to SSH in? -
armadadrive over 5 years@JGlass You may be conflating this answer with the one above that has additional options - this specific line only bars root from logging in via SSH. If there are other users on the system, all other things being equal, they will still be able to login via SSH unless you
DenyUsers
those logins as well. -
JGlass over 5 years@armadadrive - ahh, thank you for the correction and explanation!
-
heroin over 4 yearsIt worth mentioning, that before disabling ssh for root user you need firstly configure ordinary user's ssh
-
Tarick Welling almost 4 yearsThis answer is terrible, it is assuming something that could be invalid, it isn't helping someone who wants to learn and it doesn't help someone if they actually need to manually lock root out. This is an non answer on the whole front.