Disable SSH root login


The PermitRootLogin SSHD configuration specifies if the root user can log in to the server with ssh. Possible values are yes, prohibit-password, forced-commands-only, or no. The default value is prohibit-password.

Why you should block direct access as root through SSH

Direct access as root isn’t always required and allowing it makes your server a vulnerable and attractive target. The root user has too many privileges, if an attacker successfully gains control of it, anything can be done with the server, from total service disruption to data loss, and data hijacking. The risk just isn’t worth it.

If possible, avoid running administrative tasks with the root user. Use a regular account instead and provide permission to perform only the required actions. Following the principle of least privilege to SSH access improves accountability of actions performed in the server and ensures that each user can’t perform unexpected actions.

If PermitRootLogin is yes, root login using a password is allowed and attackers may gain access to your server as root with password cracking.

Even without restrictive permissions, simply blocking direct login with root forces users to authenticate with an individual account, then escalate to root if necessary. This improves accountability because provides an audit trail.

How to disable root login with SSH

You need to add or change a setting at the SSHD configuration file.

Look for PermitRootLogin at /etc/ssh/sshd_config:

grep PermitRootLogin /etc/ssh/sshd_config

If the output isn’t empty, the argument is present in the file. Edit the file /etc/ssh/sshd_config and replace the current PermitRootLogin value for no. If the line is commented (contains a leading #), uncomment it removing the leading #.

If the output is empty, this argument could still be defined in a .conf file at /etc/ssh/sshd_config.d/. Check there too:

grep PermitRootLogin /etc/ssh/sshd_config.d/*.conf
The /etc/ssh/sshd_config.d/ directory doesn’t exist at Ubuntu 18.04, you only need to check it if you’re using Ubuntu 20.04 or more recent.

If the output isn’t empty, edit the file where the argument is defined, changing its value to no.

If you couldn’t find the argument definition anywhere, edit the file /etc/ssh/sshd_config and include the following line:

PermitRootLogin no

Finally, restart the SSHD service:

sudo systemctl restart sshd