Do Not Allow root User to Remotely Log In to the Linux System
The PermitRootLogin parameter in the /etc/ssh/sshd_config configuration file is used to control whether the root user is allowed to log in to the system via SSH. To enhance system security, it is highly advised to set this parameter to no to prevent direct root login.
System administrators should log in via SSH using their individual user accounts first, and then elevate their privileges to root using sudo or su. This practice ensures clear audit trails in the event of a security incident. Before applying this configuration, verify that other user accounts with administrative privileges exist on the system; otherwise, you may lose SSH remote management access once the configuration takes effect.
Once configured, the root user cannot remotely log in to the system via SSH.
- Check whether the PermitRootLogin configuration is correct (verify that the outputs of both commands match the expected results).
- Command 1:
sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permitrootloginThe following is an example, indicating that direct root login is disabled.
permitrootlogin no
- Command 2:
grep -Ei '^\s*PermitRootLogin\s+yes' /etc/ssh/sshd_config
The following is an example, indicating that no PermitRootLogin yes configuration exists.
Nothing is returned
- Command 1:
- If either of the command outputs does not match the expected result, modify the /etc/ssh/sshd_config file and restart the SSHD service.
- Open the configuration file.
vim /etc/ssh/sshd_config
- Press i to enter the insert mode and change the value of PermitRootLogin to no.
PermitRootLogin no
- Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
- Restart the SSHD service.
systemctl restart sshd
- Open the configuration file.