Linux OpenSSH server deny root user access / log in

See all GNU/Linux related FAQ
How do I block access to root user over ssh session on my Linux server? How can I block root user log in over ssh based session for security reasons?

The sshd (OpenSSH Daemon) is the daemon program for ssh. Server side ssh configuration is defined in /etc/ssh/sshd_config file on Linux operating system. The ssh is the client program for sshd daemon. You need to use DenyUsers option to block access to root user on Linux. Another option to block root user access is to set PermitRootLogin to no in sshd_config file.
Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements Linux or Unix terminal
Category Terminal/ssh
OS compatibility BSD Linux Unix
Est. reading time 4 minutes
Advertisement

Procedure for disabling SSH login for root user

To disable SSH logins for the root account:

  1. Log in to the Linux or Unix server using ssh: ssh user@your-server
  2. Make sure at least one user can log in as root using the sudo/su command.
  3. Edit the /etc/ssh/sshd_config file using vi
  4. Set PermitRootLogin no to disable SSH logins for root
  5. Save and close the file
  6. Reload sshd server in order to deny root log in

Let us see all steps in details.

Add an admin user

Before disabling root login over SSH, ensure normal users can log into your system using the sudo or su command. Add the user named ‘vivek’ as admin user. For example:
# adduser vivek
Set the password for a Linux user named ‘vivek’:
# passwd vivek
Verify using the id command:
# id vivek
Now grant sudo permissions for your new admin user named ‘vivek’ using the echo command. For instance:
# echo 'vivek ALL=(ALL) ALL' >> /etc/sudoers
Next, ssh to the server with the new admin user named ‘vivek’ and ensure that the login works. For example:
{desktop:~}$ ssh vivek@server-ip-here
{desktop:~}$ ssh vivek@192.168.2.25
{desktop:~}$ ssh vivek@serverA

Verify that you can sudo to root with the admin user named ‘vivek’ using the sudo command:
{vivek@serverA:~}$ sudo -i
[sudo] password for vivek:
{root@serverA:~}#

See my tutorial “Add a new user account with admin access on Linux for more info.

Linux OpenSSH server deny root user access / log in

DenyUsers option can block any user. This option can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID (UID) is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.

Open /etc/ssh/sshd_config file

Use the vi command command to edit /etc/ssh/sshd_config file, run:
# vi /etc/ssh/sshd_config

Deny root user access

Append or modify as follows to block root user:

DenyUsers root

If you want to block additional user just append names to DenyUsers. For example:

DenyUsers root, user2, user3

OR

DenyUsers root, tina, jerry, babu

Save and close the file. Restart the sshd service:
# /etc/init.d/sshd restart
OR use the service command:
$ sudo service sshd restart
For systemd based Linux system, restart the sshd using the systemctl command:
$ sudo systemctl restart sshd

Use the grep command or egrep command to search for user names in the /etc/passwd and /etc/ssh/sshd_config. For example:
$ grep -E 'root|vivek|wendy' /etc/passwd
$ grep -i 'DenyUsers' /etc/ssh/sshd_config

OpenSSH deny root user using PermitRootLogin option

This option specifies whether root can log in using ssh. The syntax is:

PermitRootLogin {option}

The option must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password. For example, to deny root log in over ssh set it as follows in your /etc/ssh/sshd_config file:
PermitRootLogin no
Once again, restart or reload sshd service:
$ sudo systemctl restart ssh
OR
$ sudo service sshd restart

Test it

Run ssh command as follows:
$ ssh root@box-name
$ ssh root@192.168.2.30

You should see an error as follows:

root@192.168.2.30: Permission denied (publickey).

You can now only log in as normal or non-root user:
$ ssh vivek@192.168.2.30
Next use sudo command or su command to gain a root shell access:
$ sudo -i
OR
$ su -
Linux deny root user access

Viewing failed root or any other users ssh logs

Unix and Linux log files are located in the /var/log/ directory. Use the cd command to change dir:
$ cd /var/log
Then execute the ls command:
$ ls -l
See the /var/log/secure or /var/log/auth.log authentication log file using the cat command or tail command or grep command. For example:
$ tail -f /var/log/auth.log
$ grep "authentication failure" /var/log/auth.log

...
Oct 23 18:46:12 wks01 gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=vivek
Oct 27 17:16:58 wks01 gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=vivek
Oct 29 12:11:33 wks01 sshd[14981]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.25  user=root
...

You can keep an eye on your log size using the df command or du command to check Linux disk space too:
$ df -H
$ du -csh

On modern Linux distro use the journalctl command to view failed ssh login:
$ journalctl -u sshd
$ journalctl -u sshd | more

You can filter out as follows using the grep command/egrep command:
$ journalctl -u sshd.service | grep -i "fail" #RHEL/CentOS
$ journalctl -u ssh.service | grep -i "fail" #Debian/Ubuntu

OR
$ journalctl -u ssh.service -j fail

Conclusion

This page explained how to disable and deny SSH login for the root user running on Linux. For more info see sshd_config man page here. However, I strongly suggest that you set up SSH keys for log in. See:

This entry is 18 of 23 in the Linux/Unix OpenSSH Tutorial series. Keep reading the rest of the series:
  1. Top 20 OpenSSH Server Best Security Practices
  2. How To Set up SSH Keys on a Linux / Unix System
  3. OpenSSH Config File Examples For Linux / Unix Users
  4. Audit SSH server and client config on Linux/Unix
  5. How to install and upgrade OpenSSH server on FreeBSD
  6. Ubuntu Linux install OpenSSH server
  7. Install OpenSSH server on Alpine Linux (including Docker)
  8. Debian Linux Install OpenSSH SSHD Server
  9. Configure OpenSSH To Listen On an IPv6 Address
  10. OpenSSH Server connection drops out after few minutes of inactivity
  11. Display banner/message before OpenSSH authentication
  12. Force OpenSSH (sshd) to listen on selected multiple IP address only
  13. OpenSSH Change a Passphrase With ssh-keygen command
  14. Reuse SSH Connection To Speed Up Remote Login Process Using Multiplexing
  15. Check Syntax Errors before Restarting SSHD Server
  16. Change the ssh port on Linux or Unix server
  17. OpenSSH Deny or Restrict Access To Users and Groups
  18. Linux OpenSSH server deny root user access / log in
  19. Disable ssh password login on Linux to increase security
  20. SSH ProxyCommand example: Going through one host to reach server
  21. OpenSSH Multiplexer To Speed Up OpenSSH Connections
  22. Install / Append SSH Key In A Remote Linux / UNIX Servers Authorized_keys
  23. Use ssh-copy-id with an OpenSSH Server Listening On a Different Port

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

4 comments… add one
  • slashx Aug 28, 2007 @ 9:42

    in /etc/ssh/sshd_config
    setting this:
    PermitRootLogin no
    Should also do the same thing, but denyusers works too :)

  • Wasim Mar 15, 2013 @ 5:18

    Nice Blog…

  • Wasim Mar 15, 2013 @ 5:21

    vi /etc/ssh/sshd_config
    Find the below line first
    #PermitRootLogin yes
    Add a new line below this entry
    PermitRootLogin no
    Reload sshd.

  • Mikhail Rosenstein Oct 29, 2022 @ 7:00

    Thank you I was able to connect to my server via ssh with the admin user and then use the command ‘sudo -s’ to switch to the root user.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.