If you need to do something as
root – you should be logging in as your username (mine has been
rkalla thus far in these examples) – and then using the
sudo command to execute the necessary operations as
If you really need to operate as
root you can always use the
su - command once you’ve logged in to switch to the
The first thing we need to do is open up the SSH Daemon config file (the one the SSH Server uses) and disallow logins from
root by way of this command:
sudo nano /etc/ssh/sshd_config
If you are wondering how this file differs from the
ssh_config file in the same directory – that one is used to configure the SSH Client (used to connect FROM this machine out TO other machines using SSH).
The file we are editing, the one with the ‘d’ in the name, is used to configure the daemon running on this machine accepting connections FROM clients TO this particular machine.
2 halves of the apple.
Now scroll down or search for the use of
PermitRootLogin, in Ubuntu 20.04 LTS the lines around that setting look like so:
# Authentication: #LoginGraceTime 2m #PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10
# is used to comment out a line; most of this file is commented out in fact which means SSH is running with default values or overridden values specified in the supplemental
The valid values for the
PermitRootLogin setting are defined here, in our case we want to remove
prohibit-password and simply change it to
no to disallow any type of root login remotely.
I always recommend leaving the ORIGINAL value commented in the file for future reference and making a note of why something was changed as a note to your future self.
In my case, my edit looks like:
#PermitRootLogin prohibit-password #ADDED Feb 22, 2021 by rkalla PermitRootLogin no
Now save the file, exit and let’s restart the SSH Daemon so it picks up the changes:
sudo systemctl restart ssh
If you want to make sure the service was restarted successfully, you can check it’s status with the, well,
status command like so:
sudo systemctl status ssh
The output will look something like this:
ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2021-02-22 12:43:48 UTC; 29s ago Docs: man:sshd(8) man:sshd_config(5) Process: 12910 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 12911 (sshd) Tasks: 2 (limit: 76967) Memory: 2.6M CGroup: /system.slice/ssh.service ├─12911 sshd: /usr/sbin/sshd -D [listener] 1 of 10-100 startups └─12923 sshd: [accepted] Feb 22 12:43:48 e3-2276 systemd: Starting OpenBSD Secure Shell server... Feb 22 12:43:48 e3-2276 sshd: Server listening on 0.0.0.0 port 22. Feb 22 12:43:48 e3-2276 sshd: Server listening on :: port 22. Feb 22 12:43:48 e3-2276 systemd: Started OpenBSD Secure Shell server.
Looks good, except… let’s get SSH off the default port of 22, next section!