How To Allow or Deny SSH Root Login in Linux
This post will guide you how to Allow or Deny Root Login in Linux operating system. How do I limit SSh Access to Users and groups in Linux. How to disable SSH Login for root user from the remote Linux server.
- Allow SSH Access to a User or Group
- Deny SSH Access to a User or Group
- Disable SSH Access for Root User
Allow SSH Access to a User or Group
If you want to allow SSH access for one or two particular users from the remote Linux or Unix server, and you need to edit the configuration file named sshd_config
under /etc/ssh
directory using your vi/vim text editor:
$ sudo vim /etc/ssh/sshd_config
then adding the following line into the file:
AllowUsers devops devops01
Save and close the file.
If you want to allow an entire group for SSH Access, and you can edit the configuration file /etc/ssh/sshd_config
using vim text editor:
$ sudo vim /etc/ssh/sshd_config
add the following line into the file:
AllowGroups devops
save and close the file.
Then those users who are in the “devops
” group can be able to ssh access from the remote server.
You need to restart SSHD service to take effect for changes by using the following command:
$ sudo systemctl restart sshd.service
Deny SSH Access to a User or Group
If you want to deny SSH access to a user or group, and you can edit the sshd_config
file by adding the following lines:
$ sudo vim /etc/ssh/sshd_config
Adding the following lines:
DenyUsers devops DenyGroups devops
save and close the file and restart sshd service.
Disable SSH Access for Root User
If you want to disable SSH Access for root user, and you also need to edit /etc/ssh/sshd_config
file using your vim text editor:
$ sudo vim /etc/ssh/sshd_config
find the following line and uncomment it, and set the value to no.
PermitRootLogin no
Save and close the file. and restart the sshd service with the following command:
$ sudo systemctl restart sshd
Let’s try to ssh to your server using root user, type:
$ ssh root@192.168.3.50
Outputs:
devops@devops:~$ ssh root@192.168.3.50 The authenticity of host '192.168.3.50 (192.168.3.50)' can't be established. ECDSA key fingerprint is SHA256:dcUJtf8y1Wq2N+CD15pabodk9DhjpQI/RI7P5+5AhBI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.3.50' (ECDSA) to the list of known hosts. root@192.168.3.50's password: Permission denied, please try again. root@192.168.3.50's password:
From the above outputs, you can see that you are not able to user root user to ssh to your server.
Conclusion
You should know that how to allow or deny ssh access to your server for root user or a particular user or group by modifying /etc/ssh/sshd_config file in your Linux system.