Knowledge Base

How to disable SSH logins for the root account

This article describes how to disable SSH logins for the root account. For security reasons, you should create a normal user account, and then disable SSH logins for the root account as soon as possible.

The following procedures only apply to semi-managed accounts. Shared and reseller hosting accounts do not have root access to the server.

Creating a normal user account

Before you disable SSH logins for the root account, you must create a normal user account. (Otherwise, you will be unable to access your server when you disable the root account for SSH logins.)

CentOS and Fedora

To create a user and grant it administrative privileges on a server running CentOS or Fedora, follow these steps:

  1. Log in to the server using SSH.
  2. At the command prompt, type the following command. Replace username with the name of the user that you want to add:
    useradd username
  3. Type the following command, replacing username with the name of the user that you created in step 2:

    passwd username
  4. To grant administrative privileges to the user, type the following command:

    visudo

    This command opens the sudoers file for editing.

  5. Add the following line to the file. Replace username with the name of the user that you created in step 2:

    username ALL=(ALL) ALL

    Now the user can run commands as the root user by prefixing the command with sudo. For example, the user can view the root home directory by typing the command sudo ls /root.

    The user can now run any command as the root user. For security reasons, however, you may want to restrict which commands the user can run as root. Alternatively, you can use the su command to change to the root user account from any account (assuming you know the root password).
Debian and Ubuntu

To create a user and grant it administrative privileges on a server running Debian or Ubuntu, follow these steps:

  1. Log in to the server using SSH.
  2. At the command prompt, type the following command. Replace username with the name of the user that you want to add:
    adduser username
  3. Install the sudo package. To do this, type the following command:

    apt-get install sudo
  4. To add the user to the sudo group, type the following command. Replace username with the name of the user that you created in step 2.

    usermod -a -G sudo username

    Now the user can run commands as the root user by prefixing the command with sudo. For example, the user can view the root home directory by typing the command sudo ls /root.

    By default, the user can now run any command as the root user. For security reasons, however, you may want to restrict which commands the user can run as root by using the visudo command. Alternatively, you can use the su command to change to the root user account from any account (assuming you know the root password).

Disabling SSH login for root

After you create a normal user, you can disable SSH logins for the root account. To do this, follow these steps:

  1. Log in to the server as root using SSH.
  2. Open the /etc/ssh/sshd_config file in your preferred text editor (nano, vi, etc.).
  3. Locate the following line:
    PermitRootLogin yes
  4. Modify the line as follows:

    PermitRootLogin no
  5. Add the following line. Replace username with the name of the user you created in the previous procedure:

    AllowUsers username
    This step is crucial. If you do not add the user to the list of allowed SSH users, you will be unable to log in to your server!
  6. Save the changes to the /etc/ssh/sshd_config file, and then exit the text editor.
  7. Restart the SSH service using the appropriate command for your Linux distribution:

    • For CentOS and Fedora, type:
      service sshd restart
      
    • For Debian and Ubuntu, type:

      service ssh restart
      
  8. While still logged in as root, try to log in as the new user using SSH in a new terminal window. You should be able to log in. If the login fails, check your settings. Do not exit your open root session until you are able to log in as the normal user in another window.