Disable or Enable SSH Root Login and Limit SSH Access in Linux

Everyone knows that Linux systems come with root user access and by default, root access is enabled for the outside world.

For security reasons, it’s not a good idea to have ssh root access enabled for unauthorized users. Because any hacker can try to brute force your password and gain access to your system.

Disable SSH Root Login
Disable SSH Root Login

So, it’s better to have another account that you regularly use and then switch to the root user by using the ‘su –‘ command when necessary. Before we start, make sure you have a regular user account and with that, you su or sudo to gain root access.

[ You might also like: How to Secure and Harden OpenSSH Server ]

In Linux, it’s very easy to create a separate account, log in as a root user and simply run the adduser command to create a separate user. Once the user is created, just follow the below steps to disable root login via SSH.

We use sshd master configuration file to disable root login and this will may decrease and prevent the hacker from gaining root access to your Linux box. We also see how to enable root access again as well as how to limit ssh access based on users’ list.

Disable SSH Root Login

To disable root login, open the main ssh configuration file /etc/ssh/sshd_config with your choice of editor.

# vi /etc/ssh/sshd_config

Search for the following line in the file.

#PermitRootLogin no

Remove the ‘#‘ from the beginning of the line.  Make the line look similar to this.

PermitRootLogin no
Disable Root Login in Linux
Disable Root Login in Linux

Next, we need to restart the SSH daemon service.

# systemctl restart sshd
OR
# /etc/init.d/sshd restart

Now try to log in with the root user, you will get a “Permission denied” error.

$ ssh [email protected]
[email protected]'s password: 
Permission denied, please try again.
SSH Permission Denied Error
SSH Permission Denied Error

So, from now onwards login as a normal user and then use the ‘su’ command to switch to root user.

$ ssh [email protected]
[email protected]'s password:
Last login: Mon Dec 27 15:04:58 2021 from 192.168.0.161

$ su -
Password:
Last login: Mon Dec 27 15:05:07 IST 2021 on pts/1
SSH User Login
SSH User Login

Enable SSH Root Login

To enable ssh root logging, open the file /etc/ssh/sshd_config.

# vi /etc/ssh/sshd_config

Search for the following line and remove the ‘#‘ at the beginning and save the file.

PermitRootLogin yes
Enable Root Login in Linux
Enable Root Login in Linux

Restart the sshd service.

# systemctl restart sshd
OR
# /etc/init.d/sshd restart

Now try to log in with the root user.

$ ssh [email protected]
[email protected]'s password:
Last login: Mon Dec 27 15:14:54 2021 from 192.168.0.161
SSH Root Login
SSH Root Login

Limit SSH User Logins

If you have a large number of user accounts on the systems, then it makes sense that we limit remote SSH access to those users who really need it. Open the /etc/ssh/sshd_config file.

# vi /etc/ssh/sshd_config

Add an AllowUsers line at the bottom of the file with a space separated by a list of usernames. For example, user tecmint and sheena both have access to remote ssh.

AllowUsers tecmint sheena
Limit SSH User Login
Limit SSH User Login

Now restart ssh service.

If you read this far, tweet to the author to show them you care. Tweet a thanks
Ravi Saive
I am an experienced GNU/Linux expert and a full-stack software developer with over a decade in the field of Linux and Open Source technologies

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

21 thoughts on “Disable or Enable SSH Root Login and Limit SSH Access in Linux”

  1. Open the sshd_config file.

    #nano /etc/ssh/sshd_config
    

    add the following configuration.

    PermitRootLogin yes
    KbdInteractiveAuthentication yes
    PubkeyAuthentication yes
    UseDNS no
    

    and restart the sshd service with the following command.

    # systemctl restart sshd
    
    Reply
  2. It’s better and more save to use “screen” at the user-account.

    screen -S root  #(Startsession)
    su -
    ctrl+ad #(logout)
    

    and get back the session

    screen -r root
    ctrl+ad #(logout)
    

    also possible session with other names mylogin1, mylogin2, mylogin3 to have a multisession with 4/10 sessions over “screen”

    test it out and good hack

    best
    Blackysgate

    Reply
  3. I prefer creating an ssh group and add to that group and allowing that group on sshd_config, but well same goal achieved either way!

    Great article!

    Reply

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.