root in Linux or other Unix-based operating systems is a superuser account, where it has full access to the system. Logging in as the root user via SSH for system administration is convenient as it allows you to do everything, but it comes with significant security implications.

A compromised root account will give an attacker full access to your server. The compromise could be caused by bots that would normally brute force root SSH account or by the leakage of the password or private key of the root user. Therefore, it is good practice to disable direct access by root user to SSH servers and only allow standard users to log in. These users will then use sudo or other methods to perform their administrative tasks.

$ ssh
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:dPiDHZPOKKNaz/RgHHaxkexY7L1h1EFcfa5UJUi2s48.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ',' (ECDSA) to the list of known hosts.'s password:
Permission denied, please try again.

Some systems disable root login by default, and some others do not. You can enable or disable root user login to your SSH server by configuring PermitRootLogin directive on SSHd configuration on your SSH server.

Make sure you already have a normal user with SSH and preferably sudo access to the system before preventing root access.

Steps to deny or allow root login in SSH:

  1. Configure root access to the normal user via sudo (optional, if required).
  2. Launch your preferred terminal application.
  3. Open sshd configuration file using favourite text editor.
    $ sudo vi /etc/ssh/sshd_config
    [sudo] password for user:
  4. Search for PermitRootLogin directive and set the option to no to disallow root login and yes to allow.
    PermitRootLogin no

    Add the line if it doesn't already exist and remove # at the beginning of the line if it exists.

    Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password.

  5. Reload or restart SSH server service.
    $ sudo systemctl restart sshd
Discuss the article:

Comment anonymously. Login not required.