Disabling root login via SSH

Ok you should have your user added to the sudoers list and the system fully patched at this point – now let’s remove root from the accounts that are allowed to login via SSH.

If you need to do something as root – you should be logging in as your username (mine has been rkalla thus far in these examples) – and then using the sudo command to execute the necessary operations as root.

If you really need to operate as root you can always use the su - command once you’ve logged in to switch to the root account.

The first thing we need to do is open up the SSH Daemon config file (the one the SSH Server uses) and disallow logins from root by way of this command:

sudo nano /etc/ssh/sshd_config

If you are wondering how this file differs from the ssh_config file in the same directory – that one is used to configure the SSH Client (used to connect FROM this machine out TO other machines using SSH).

The file we are editing, the one with the ‘d’ in the name, is used to configure the daemon running on this machine accepting connections FROM clients TO this particular machine.

2 halves of the apple.

Now scroll down or search for the use of PermitRootLogin, in Ubuntu 20.04 LTS the lines around that setting look like so:

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

Note that # is used to comment out a line; most of this file is commented out in fact which means SSH is running with default values or overridden values specified in the supplemental /etc/ssh/sshd_config.d directory.

The valid values for the PermitRootLogin setting are defined here, in our case we want to remove prohibit-password and simply change it to no to disallow any type of root login remotely.

I always recommend leaving the ORIGINAL value commented in the file for future reference and making a note of why something was changed as a note to your future self.

In my case, my edit looks like:

#PermitRootLogin prohibit-password
#ADDED Feb 22, 2021 by rkalla
PermitRootLogin no

Now save the file, exit and let’s restart the SSH Daemon so it picks up the changes:

sudo systemctl restart ssh

If you want to make sure the service was restarted successfully, you can check it’s status with the, well, status command like so:

sudo systemctl status ssh

The output will look something like this:

ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2021-02-22 12:43:48 UTC; 29s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 12910 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 12911 (sshd)
      Tasks: 2 (limit: 76967)
     Memory: 2.6M
     CGroup: /system.slice/ssh.service
             ├─12911 sshd: /usr/sbin/sshd -D [listener] 1 of 10-100 startups
             └─12923 sshd: [accepted]

Feb 22 12:43:48 e3-2276 systemd[1]: Starting OpenBSD Secure Shell server...
Feb 22 12:43:48 e3-2276 sshd[12911]: Server listening on 0.0.0.0 port 22.
Feb 22 12:43:48 e3-2276 sshd[12911]: Server listening on :: port 22.
Feb 22 12:43:48 e3-2276 systemd[1]: Started OpenBSD Secure Shell server.

Looks good, except… let’s get SSH off the default port of 22, next section!