Control root log in using ssh
It is more secure to not permit “Root login” using password. It is a good idea to access root privileges through a local user ID and via su/sudo commands once locally authenticated.
To disable root login using password, set the PermitRootLogin
parameter of the sshd_config file to without_password. Once this parameter is set, you will not be able to login using password, but will be able to with ssh keys.
The following is from the sshd_config manpage (this setting is in the sshd_config file which is by default /etc/ssh/sshd_config):
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be yes
, prohibit-password
, without-password
, forced-commands-only
, or no
. The default is prohibit-password
If this option is set to prohibit-password
or without-password
, password and keyboard-interactive authentication are disabled for root.
If this option is set to forced-commands-only
, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.
If this option is set to no
, root is not allowed to log in.