root
is a superuser whereas it has full access to Linux
or other Unix
-based operating systems. Logging in as the root
user via SSH
for system administration is a big convenience but comes with big security implication.
A compromised root
account will give an attacker full access to your server. This could be caused by bots that would normally brute force root
SSH
account or leaked password / private key of the root
user. It is therefore advised to only allow normal user login to a system via SSH
and configure sudo
access for the user to perform administrative tasks.
$ ssh [email protected] The authenticity of host 'example.com (192.168.111.146)' can't be established. ECDSA key fingerprint is SHA256:dPiDHZPOKKNaz/RgHHaxkexY7L1h1EFcfa5UJUi2s48. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'example.com,192.168.111.146' (ECDSA) to the list of known hosts. [email protected]'s password: Permission denied, please try again.
Some systems disable root
login by default and some other does not. You can enable or disable root
user login to your SSH
server by configuring PermitRootLogin
directive on SSHd
configuration on your SSH
server.
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password.
Make sure you already have a normal user with SSH
and preferably sudo
access to the system before preventing root
access.
root
access to the normal user via sudo
(optional, if required).sshd
configuration file using favourite text editor. $ sudo vi /etc/ssh/sshd_config [sudo] password for user:
PermitRootLogin
directive and set the option to no
to disallow root
login and yes
to allow. PermitRootLogin no
Add the line if it doesn't already exist and remove the #
at the beginning of the line if exists.
SSH
server service. $ sudo systemctl restart sshd
Guide compatibility:
Operating System |
---|
Ubuntu Linux |
Debian Linux |
Red Hat Enterprise Linux |
Fedora Linux |
CentOS Linux |
openSUSE Linux |
SUSE Linux Enterprise Server |
FreeBSD |
OpenBSD |
NetBSD |
macOS |
Comment anonymously. Login not required.