How to Disable SSH Root Login On Linux Systems
by Prashant ·

Disable SSH Root Login
The root account on the server has the power to perform any actions like create/update/delete/install/remove.
The root account is an administrative account on all Linux and Unix systems. This account has rights on all the commands and files on the system with Write, Read, and execute permissions.
In this interest, any issues by root users may have big entanglements on the regular operation of the system.
All sysadmins are already known that any hacker can hack your system through a brute force attack on the SSH root account and possibly get access to your system.
Attention: Before disabling the root account make sure you will have SUDO access with the normal user who has all the root permissions to perform on the system.
If you are new to Linux and not having an idea to create a regular account then go through the below provided link. This will help you to create a regular user account on the system.
Read: Normal User SSH Access On Linux
4 Ways to Disable SSH Root login
Step 1: Change the shell for the root user
The simple way to disable the ssh root login is to change the root user shell from /bin/bash to /sbin/nologin.
You can change the shell from “/etc/passwd” file.
sudo vim /etc/passwd
Replace the line:
root:x:0:0:root:/root:/bin/bash to root:x:0:0:root:/root:/sbin/nologin
After the changes in “/etc/passwd” file no one will able to access the system with root login.
Root login is disabled for direct access but its accessible through SUDO user.
Step 2: Disable SSH Root Login
Another method to disable the root account problem, you will need to make some changes to the “sshd_config” file.
This is the main configuration file of SSH.
“sshd_config” file basically, resides under the “/etc/ssh” directory.
First logged on a server with root user and open the “/etc/ssh/sshd_config” file.
vim /etc/ssh/sshd_config
##Now check for the line "PermitRootLogin" and uncomment this line which is by default commented in the file.
PermitRootLogin no
Save and Close the file.
Restart the SSH service to apply the latest change in the file.
$ /etc/init.d/ssh restart
Now open a new tab and check with root login. It will not allow you to login with the root user.
Then login with a normal user for which you have given the SUDO access.
Step 3: Restrict Root Via PAM
PAM stands for Pluggable Authentication Modules.
It is basically used to perform tasks like authentication, authorization, and some modification (Like password change).
pam_unix.so module is important module that handles the auth and account stack.
pam_listfile.so module will help to provide the limitation on a specific account.
Here, we want to restrict the root account from accessing the servers via SSH login.
First, open the file sshd or login from “/etc/pam.d” as shown below,
$ sudo vim /etc/pam.d/login OR $ sudo vim /etc/pam.d/sshd
Then add below configuration in both the files,
auth required pam_listfile.so \ onerr=succeed item=user sense=deny file=/etc/ssh/restrictedusers
Once you are done with the above changes, save and close the file.
Now create the plain file “/etc/ssh/restrictedusers” & add the one name/item per line and change the file permission as shown,
$ sudo vim /etc/ssh/restrictedusers
root
$ sudo chmod 600 /etc/ssh/restricteduser
It will block the root access for programs and services which are known by the PAM module.
For More Information Refer,
$ man pam_securetty $ man sshd_config $ man pam
Step 4: Block the Root Login Via Console TTY
There is one more way to restrict root access for Secure TTY using PAM Method.
For that, we are going to use pam_securetty module. It will allow the user only when the user is login in on “Secure TTY” which is defined in “/etc/securetty” file.
Run the following command to create an empty file,
$ sudo mv /etc/securetty /etc/securetty.orig $ sudo touch /etc/securetty $ sudo chmod 600 /etc/securetty
But here we have some limitations as it only affects the services such as login, display managers, and network services which are using the TTY.
But the programs such as su, sudo, and ssh will have access to the root account.
That’s it. We have explained the 4 ways of disabling ssh root login on Linux systems.
I hope you like the article if you find any difficulties to disable the root account then please do comment your queries or problem via the comment section, till then stay tuned to Linuxgrow.com for more such valuable articles.
Thank You 🙂