root is the superuser account in Linux and other Unix-based operating systems. It has complete control over the system. Allowing root to log in via SSH is convenient for administrative tasks but poses significant security risks. If compromised, a root account could give an attacker full access to your server.
$ ssh root@example.com The authenticity of host 'example.com (192.168.111.146)' can't be established. ECDSA key fingerprint is SHA256:dPiDHZPOKKNaz/RgHHaxkexY7L1h1EFcfa5UJUi2s48. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'example.com,192.168.111.146' (ECDSA) to the list of known hosts. root@example.com's password: Permission denied, please try again.
To mitigate this risk, it's common practice to disable direct SSH access for the root user. Instead, administrators typically log in with a standard user account and use sudo for tasks that require elevated privileges. This approach reduces the attack surface and helps protect your system from unauthorized access.
Configuring SSH access for the root user involves modifying the PermitRootLogin directive in the SSHD configuration file. This directive determines whether root can log in directly via SSH. Adjusting this setting can help you balance convenience with security based on your specific needs.
Make sure you already have a normal user with SSH and preferably sudo access to the system before preventing root access.
Steps to deny or allow root login in SSH:
- Ensure you have a standard user account with sudo access.
- Launch your preferred terminal application.
- Open the SSHD configuration file in a text editor.
$ sudo vi /etc/ssh/sshd_config [sudo] password for user:
- Locate or add the PermitRootLogin directive.
Add the line if it doesn't already exist and remove # at the beginning of the line if it exists.
- Set the PermitRootLogin directive to no to disable root login, or yes to enable it.
PermitRootLogin no
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password. - Save the changes and close the editor.
- Reload or restart SSH server service.
$ sudo systemctl restart sshd
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.