How To Allow or Deny SSH Root Login in Linux

This post will guide you how to Allow or Deny Root Login in Linux operating system. How do I limit SSh Access to Users and groups in Linux. How to disable SSH Login for root user from the remote Linux server.

• Allow SSH Access to a User or Group
• Deny SSH Access to a User or Group
• Disable SSH Access for Root User

Allow SSH Access to a User or Group

If you want to allow SSH access for one or two particular users from the remote Linux or Unix server, and you need to edit the configuration file named sshd_config under /etc/ssh directory using your vi/vim text editor:

$ sudo vim /etc/ssh/sshd_config

then adding the following line into the file:

AllowUsers devops devops01

Save and close the file.

If you want to allow an entire group for SSH Access, and you can edit the configuration file /etc/ssh/sshd_config using vim text editor:

$ sudo vim /etc/ssh/sshd_config

add the following line into the file:

AllowGroups devops

save and close the file.

Then those users who are in the “devops” group can be able to ssh access from the remote server.

You need to restart SSHD service to take effect for changes by using the following command:

$ sudo systemctl restart sshd.service

Deny SSH Access to a User or Group

If you want to deny SSH access to a user or group, and you can edit the sshd_config file by adding the following lines:

$ sudo vim /etc/ssh/sshd_config

Adding the following lines:

DenyUsers devops
DenyGroups devops

save and close the file and restart sshd service.

Disable SSH Access for Root User

If you want to disable SSH Access for root user, and you also need to edit /etc/ssh/sshd_config file using your vim text editor:

$ sudo vim /etc/ssh/sshd_config

find the following line and uncomment it, and set the value to no.

PermitRootLogin no

Save and close the file. and restart the sshd service with the following command:

$ sudo systemctl restart sshd

Let’s try to ssh to your server using root user, type:

$ ssh root@192.168.3.50

Outputs:

devops@devops:~$ ssh root@192.168.3.50
The authenticity of host '192.168.3.50 (192.168.3.50)' can't be established.
ECDSA key fingerprint is SHA256:dcUJtf8y1Wq2N+CD15pabodk9DhjpQI/RI7P5+5AhBI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.3.50' (ECDSA) to the list of known hosts.
root@192.168.3.50's password:
Permission denied, please try again.
root@192.168.3.50's password:

From the above outputs, you can see that you are not able to user root user to ssh to your server.

Conclusion

You should know that how to allow or deny ssh access to your server for root user or a particular user or group by modifying /etc/ssh/sshd_config file in your Linux system.