Post

Disable Root SSH Login: Complete Guide

Step-by-step guide to disable direct root SSH access on Linux servers for better security

Posted
By Sambath
2 min read
Disable Root SSH Login: Complete Guide

Disable Direct Root SSH Login

Disabling direct root SSH access is a critical security best practice. Here’s exactly what to change, what to restart, and how to verify.

Step 1: Edit the SSH Configuration File

Open the SSH daemon configuration file with your preferred editor:

1

sudo vi /etc/ssh/sshd_config

Or with nano if you prefer:

1

sudo nano /etc/ssh/sshd_config

Step 2: Find and Update the Setting

Search for the PermitRootLogin line inside the file.

1

/PermitRootLogin

You will see one of these existing values:

1
2
3
4

# Before (common defaults)
PermitRootLogin yes
# PermitRootLogin yes       ← commented out
PermitRootLogin prohibit-password

Change it to:

1
2

# After
PermitRootLogin no

Note: If the line starts with #, remove the # to uncomment it, then set the value to no.

Step 3: Validate the Configuration (Before Restarting)

Check the config file for syntax errors before restarting the SSH service:

1

sudo sshd -t

If there is no output, the configuration is valid. If there are errors, fix them before proceeding.

Step 4: Restart SSH Service

Apply the changes by restarting the SSH daemon:

1

sudo systemctl restart sshd

⚠️ Warning: This will not disconnect your current session, but any new root SSH login attempts will be denied immediately after restart.

Step 5: Verify the Change

Confirm the setting is active:

1

sudo sshd -T | grep permitrootlogin

Expected output:

1

permitrootlogin no

image

Step 6: Test From a New Terminal

Do not close your current session yet. Open a new terminal and attempt to SSH as root:

1

ssh root@your-server-ip

Expected result:

1

Permission denied, please try again.

or

1

root@your-server-ip: Permission denied (publickey).

Once confirmed, your current session is safe to close.

Troubleshooting

SSH service fails to restart

Check the service status for errors:

1

sudo systemctl status sshd

Or inspect the system logs:

1

sudo journalctl -xe | grep sshd

Root login still works after the change

Some systems have a secondary config file that overrides settings. Check:

1

ls /etc/ssh/sshd_config.d/

If files exist there, inspect them for a conflicting PermitRootLogin yes line and update accordingly.

Locked out of the server

If you lose access:

  • Use your cloud provider’s emergency console (e.g. AWS EC2 Serial Console, DigitalOcean Recovery Console)
  • Boot into rescue/recovery mode
  • Revert the change by setting PermitRootLogin yes temporarily, then set up a proper sudo user before disabling it again

Summary

Step Command
Open config sudo vi /etc/ssh/sshd_config
Set value PermitRootLogin no
Validate config sudo sshd -t
Restart service sudo systemctl restart sshd
Verify change sudo sshd -T \| grep permitrootlogin
Test login ssh root@your-server-ip

After disabling root login, consider these additional SSH hardening steps:

  • Disable password authentication — use SSH keys only 
    1

    PasswordAuthentication no
  • Change the default SSH port from 22 to a custom port 
    1

    Port 2222
  • Limit SSH access to specific users 
    1

    AllowUsers yourusername
  • Set idle timeout to auto-disconnect inactive sessions 
    1
2

    ClientAliveInterval 300
ClientAliveCountMax 2

All of the above changes are made in the same /etc/ssh/sshd_config file and require a service restart to take effect.

linux
security ssh hardening system-administration
This post is licensed under CC BY 4.0 by the author.