Categories
blogs

Ubuntu 18 : Disable ssh root login

After your initial setup of your Ubuntu 18 server, and that includes adding a couple of new users, including at least one super user that can sudo up, it’s time to prevent the root user from being able to login on ssh. The username is a default, and doesn’t have to be guessed.

Note: Another blog post will discuss how to change the default ssh port.

ssh into your server with a user that can sudo up, once connected, type:

nano -w /etc/ssh/sshd_config

Within this file find (you could use control+w):

PermitRootLogin yes

Note: If there’s a # in front of this line, remove the # character.

Change the yes to no:

PermitRootLogin no

Save the file (control+x to exit out)

You’ve customized the ssh daemon configuration file, but before we restart the service, I do recommend logging in without a root account, and maybe on a second ssh session. In case you get kicked out due to these changes (but you should be fine).

When you’re ready to restart the ssh service, type:

service ssh restart

It will look like this:

root@server:~# service ssh restart
root@server:~#

Try in a new terminal window or tab to ssh back into the server as root, it will appear to work, but even upon entering the correct password you will get the message Permission Denied.

Then go test with the sudo user, ssh in and it should work. If not, undo your change, restart ssh and fix your error.

floris@iMac ~ % ssh root@example.com -p 22
root@example's password:
Permission denied, please try again.
root@example's password: ^c
floris@iMac ~ %
floris@iMac ~ % ssh floris@example.com -p 22
floris@example's password:
Welcome to this Ubuntu server.
Last login: a minute ago from this.ip.address
floris@server:~$ sudo su -
[sudo] password for floris:
root@server:~#

Yay, it’s all good. Maybe in another blog post I will explain how to update the ssh daemon service to not allow passwords to login, and require the ssh key to do so. But first, let’s change the default ssh port. Which I will also explain in a different blog post.

By MrFloris

This blog is for people who know me, so nothing to tell. For those who don't know me yet, .. read my blog ;)