Linux OpenSSH server deny root user access / log in

How do I block access to root user over ssh session on my Linux server? How can I block root user log in over ssh based session for security reasons?

The sshd (OpenSSH Daemon) is the daemon program for ssh. Server side ssh configuration is defined in /etc/ssh/sshd_config file on Linux operating system. The ssh is the client program for sshd daemon. You need to use DenyUsers option to block access to root user on Linux. Another option to block root user access is to set PermitRootLogin to no in sshd_config file.

ADVERTISEMENTS

Procedure for disabling SSH login for root user

To disable SSH logins for the root account:

  1. Log in to the Linux or Unix server using ssh: ssh user@your-server
  2. Edit the /etc/ssh/sshd_config file using vi
  3. Set PermitRootLogin no to disable SSH logins for root
  4. Save and close the file
  5. Reload sshd server in order to deny root log in

Let us see all steps in details.

Linux OpenSSH server deny root user access / log in

DenyUsers option can block any user. This option can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID (UID) is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.

Open /etc/ssh/sshd_config file

Use the vi command command to edit /etc/ssh/sshd_config file, run:
# vi /etc/ssh/sshd_config

Deny root user access

Append or modify as follows to block root user:
DenyUsers root
If you want to block additional user just append names to DenyUsers
DenyUsers root, user2, user3
Save and close the file. Restart sshd service:
#/etc/init.d/sshd restart
OR
$ sudo service sshd restart
For systemd based system:
$ sudo systemctl restart sshd

OpenSSH deny root user using PermitRootLogin option

This option specifies whether root can log in using ssh. The syntax is:
PermitRootLogin {option}
The option must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password. For example, to deny root log in over ssh set it as follows in your sshd_config file:
PermitRootLogin no
Once again, restart or reload sshd service:
sudo systemctl restart ssh

Test it

Run ssh command as follows:
ssh root@box-name
ssh root@192.168.2.30

You should see an error as follows:

root@192.168.2.30: Permission denied (publickey).

You can now only log in as normal or non-root user:
ssh vivek@192.168.2.30
Next use sudo command or su command to gain a root shell access:
sudo -i
OR
su -
Linux deny root user access

Conclusion

This page explained how to disable and deny SSH login for the root user running on Linux. For more info see sshd_config man page here. However, I strongly suggest that you set up SSH keys for log in. See:

CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
3 comments… add one
  • slashx Aug 28, 2007 @ 9:42

    in /etc/ssh/sshd_config
    setting this:
    PermitRootLogin no
    Should also do the same thing, but denyusers works too :)

  • Wasim Mar 15, 2013 @ 5:18

    Nice Blog…

  • Wasim Mar 15, 2013 @ 5:21

    vi /etc/ssh/sshd_config
    Find the below line first
    #PermitRootLogin yes
    Add a new line below this entry
    PermitRootLogin no
    Reload sshd.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.