Disable SSH root login
PermitRootLogin SSHD configuration specifies if the root user can log in
to the server with ssh. Possible values are yes, prohibit-password,
forced-commands-only, or no. The default value is prohibit-password.
Direct access as root isn’t always required and allowing it makes your server a vulnerable and attractive target. The root user has too many privileges, if an attacker successfully gains control of it, anything can be done with the server, from total service disruption to data loss, and data hijacking. The risk just isn’t worth it.
If possible, avoid running administrative tasks with the root user. Use a regular account instead and provide permission to perform only the required actions. Following the principle of least privilege to SSH access improves accountability of actions performed in the server and ensures that each user can’t perform unexpected actions.
Even without restrictive permissions, simply blocking direct login with root forces users to authenticate with an individual account, then escalate to root if necessary. This improves accountability because provides an audit trail.
You need to add or change a setting at the SSHD configuration file.
grep PermitRootLogin /etc/ssh/sshd_config
If the output isn’t empty, the argument is present in the file. Edit the file
/etc/ssh/sshd_config and replace the current
PermitRootLogin value for
no. If the line is commented (contains a leading #), uncomment it removing
the leading #.
If the output is empty, this argument could still be defined in a
/etc/ssh/sshd_config.d/. Check there too:
grep PermitRootLogin /etc/ssh/sshd_config.d/*.conf
If the output isn’t empty, edit the file where the argument is defined,
changing its value to
If you couldn’t find the argument definition anywhere, edit the file
/etc/ssh/sshd_config and include the following line:
Finally, restart the SSHD service:
sudo systemctl restart sshd