How to enable or disable SSH root login

Controlling whether the root account can log in directly over SSH reduces exposure of the most privileged user on a server. Disabling direct root access forces administration through unprivileged accounts that escalate with sudo, limiting the impact of password guessing and credential theft.

On typical Linux systems, the OpenSSH server process sshd reads its configuration from /etc/ssh/sshd_config during startup. The PermitRootLogin directive in this file determines if logins for the root user are accepted, rejected entirely, or restricted to specific methods such as public-key authentication or forced commands.

Changes to /etc/ssh/sshd_config affect every incoming SSH session and invalid settings can prevent sshd from starting. Before disabling root login, at least one non-root account with SSH and sudo access is required to avoid losing remote administrative access. The steps below assume OpenSSH managed by systemd on a modern Linux distribution and focus on adjusting PermitRootLogin safely.

1. Confirm availability of a standard user account with SSH and sudo access.
2. Open a terminal session with access to the target server.
3. Edit the /etc/ssh/sshd_config file as a privileged user.

   $ sudo vi /etc/ssh/sshd_config
   [sudo] password for user:

4. Locate the PermitRootLogin directive or add it if it is missing.

   Add the line if it does not already exist and remove any leading # character to uncomment it.

5. Set PermitRootLogin to the desired value for enabling or disabling direct root login.

   PermitRootLogin no

   PermitRootLogin
   Specifies whether root can log in using ssh(1). Supported values are yes, prohibit-password, forced-commands-only, and no; the default is prohibit-password.

6. Save the configuration file and exit the editor.
7. Validate the sshd configuration syntax before restarting the service.

   $ sudo sshd -t

   No output indicates that the configuration syntax is valid.

8. Restart the SSH daemon to apply the configuration change.

   $ sudo systemctl restart sshd

   Related: How to start, restart, and stop the SSH server service

9. Verify that the sshd service is running after the restart.

   $ sudo systemctl status sshd
   ● sshd.service - OpenBSD Secure Shell server
        Loaded: loaded (/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
        Active: active (running) since Mon 2024-05-13 10:15:01 UTC; 5s ago
   ##### snipped #####

10. Test root login behavior from a separate session to confirm that the configured policy is in effect.

    $ ssh root@example.com
    The authenticity of host 'example.com (192.168.111.146)' can't be established.
    ECDSA key fingerprint is SHA256:dPiDHZPOKKNaz/RgHHaxkexY7L1h1EFcfa5UJUi2s48.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added 'example.com,192.168.111.146' (ECDSA) to the list of known hosts.
    root@example.com's password:
    Permission denied, please try again.

    A repeated Permission denied prompt for root confirms that PermitRootLogin no is being enforced.