How do I disable SSH login for the root user?


Browse by products and services

  • Applies to: All DV
    • Difficulty: Medium
    • Time Needed: 10
    • Tools Required: SSH, root access, vi knowledge

Overview

With a good password, you can limit your exposure to a brute force attack. However, it may still be possible. Although technically unsupported by (mt) Media Temple, the following instructions are for disabling the root user and allowing another user to assume the root users permissions. This adds another layer of security because an additional username and password must now be entered before gaining the root user privileges.

Before you disable root logins you should add an administrative user that can ssh into the server and become root with su.

READ ME FIRST

This article is provided as a courtesy. Installing, configuring, and troubleshooting third-party applications is outside the scope of support provided by (mt) Media Temple. Please take a moment to review the Statement of Support.

Instructions

NOTE:

In the following example, we are using admin for the username. This is just a example and can be replaced with any username you wish to use.

  1. Add the user. In the following example, we will use the user name admin. The command adduser will automatically create the user, initial group, and home directory.
    [root@root ~]# adduser admin
    [root@root ~]# id admin
    uid=10018(admin) gid=10018(admin) groups=10018(admin)
    [root@root ~]# ls -lad /home/admin/
    drwx------ 2 admin admin 4096 Jun 25 16:01 /home/admin/
    
  2. Set the password for the admin user. When prompted, type and then retype the password.
    [root@root ~]# passwd admin
    Changing password for user admin.
    New UNIX password:
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.
    [root@root ~]#
    
  3. For sudo permissions for your new admin user, use the following command.
    [root@root ~]# echo 'admin ALL=(ALL) ALL' >> /etc/sudoers
  4. SSH to the server with the new admin user and ensure that the login works.
    [root@root ~]# ssh admin@my.ip.or.hostname
    admin@my.ip.or.hostname's password:
    [admin@admin ~]$
  5. Verify that you can su (switch user) to root with the admin user.  
    
    [admin@admin ~]$ su -
    Password:
    [root@root ~]$ whoami
    root
    
  6. To disable root SSH login, edit /etc/ssh/sshd_config with your favorite text editor.
    
    [root@root ~]# vi /etc/ssh/sshd_config
    

    Change this line:

    
    #PermitRootLogin yes
    

    Edit to this:

    
    PermitRootLogin no
    
  7. Ensure that you are logged into the box with another shell before restarting sshd to avoid locking yourself out of the server.
    
    [root@root ~]# /etc/init.d/sshd restart
    Stopping sshd: [ OK ]
    Starting sshd: [ OK ]
    [root@root ~]#
    

You will now be able to connect to your server via ssh with the admin user and then use the command su to switch to the root user.

See also