Disabling SSH access for the root user and preventing root password authentication are critical steps to enhance the security of your Linux server. This tutorial will guide you through the process in a detailed and easy-to-follow manner, ensuring you don't get locked out of your server.
Creating a non-root user with `sudo` privileges is essential for maintaining secure server management practices. Directly using the root account poses significant security risks, as it provides full access to all system functions. A non-root user limits the scope of potential damage in case of a security breach and promotes better auditing and accountability by providing a clearer record of administrative actions.
Before starting, ensure you have:
Linux Server with SSH Access: You should have access to a Linux server via SSH. This allows you to remotely manage and configure the server.
User Account with `sudo` Privileges: You'll need a user account on the system with `sudo` privileges to install packages and perform administrative tasks.
Before disabling root SSH access, it is essential to ensure you have a non-root user with `sudo` privileges. This step is crucial to avoid being locked out of your server once root SSH access is disabled. Additionally, you must set up SSH access using key certificates for your non-root user. Without key-based authentication, you risk being locked out of your server.
If you need help with these prerequisites, refer to these tutorials:
How to Generate SSH Key Pair on Linux and Connect to a Linux Server
How to Generate and Use SSH Keys on Windows Using PowerShell and Connect to a Linux Server
Add a new user (replace `your_username` with your preferred username):
Linux (Debian/Ubuntu)
sudo adduser your_username
Add the new user to the `sudo` group:
Linux (Debian/Ubuntu)
sudo usermod -aG sudo your_username
Set up SSH key-based authentication for your non-root user. Follow the tutorials mentioned above for detailed instructions.
Modify the SSH configuration to restrict root login and password authentication.
Open the SSH configuration file using a text editor like `nano`.
Linux (Debian/Ubuntu)
sudo nano /etc/ssh/sshd_config
Locate the line that begins with `PermitRootLogin` and change its value to `no`.
Explanation of `PermitRootLogin` settings:
`PermitRootLogin yes`: Allows the root user to log in via SSH using any authentication method. This is insecure.
`PermitRootLogin no`: Prevents the root user from logging in via SSH. Root can only log in locally, enhancing security.
`PermitRootLogin prohibit-password`: Allows root login via SSH without password authentication (e.g., using keys). More secure than using passwords but less secure than completely disabling root login.
Change the setting.
Linux (Debian/Ubuntu)
PermitRootLogin no
Ensure that `PasswordAuthentication` is set to `no` to enhance security further. It is essential to have SSH keys set up for your non-root user before disabling password authentication, or you risk being locked out of your server.
Why Use SSH Keys Instead of Password Authentication?
Security: SSH keys are much more secure than passwords. They consist of a pair of cryptographic keys—a public key that can be shared and a private key that must be kept secure. Even if someone intercepts the public key, they cannot access the server without the corresponding private key.
Complexity: SSH keys are complex and difficult to crack compared to passwords, which can often be guessed or brute-forced.
Convenience: Once set up, SSH keys eliminate the need to remember and enter passwords, allowing for quicker and easier logins.
Find the line that starts with `PasswordAuthentication` and set it to `no`. Add the line if it doesn't exist.
Linux (Debian/Ubuntu)
PasswordAuthentication no
After making the necessary changes, save the file and restart the SSH service to apply them.
Save and exit the text editor. In `nano`, you can do this by pressing `CTRL + X`, then `Y`, and `ENTER`.
This sequence (`CTRL + X`, `Y`, `ENTER`) ensures that any modifications you made in the SSH configuration file are saved.
After saving the changes, the next step is to restart the SSH service.
Linux (Debian/Ubuntu)
sudo systemctl restart sshd
This command tells the system to restart the SSH daemon (`sshd`), applying the new configuration settings.
Before closing your current session, ensure you can SSH into your server using the non-root user you created.
Open a new terminal or SSH session.
SSH into your server using the new non-root user with your SSH key.
Use the `-i` option with the `ssh` command to specify the private key when connecting to the Linux system.
Windows (PowerShell)
ssh -i "C:\Users\YourUsername\Desktop\CustomFolder\my_ssh_key" -p port_number username@server_ip_address
Linux (Debian/Ubuntu)
ssh -i "/home/YourUsername/CustomFolder/my_ssh_key" -p port_number username@server_ip_address
Replace `username` with your server username, `server_ip_address` with the server's IP address or hostname, and `port_number` with the port number your SSH server is using.
If you can log in successfully, your server is now more secure with root SSH access and password authentication disabled.
By following these steps, you have successfully enhanced the security of your Linux server by disabling root SSH login and password authentication. Always ensure you have a non-root user with the necessary privileges to manage your server effectively.
Published: June 23, 2024
Have a question or suggestion? Want to request a tutorial or simply leave me a message? I'd love to hear from you! Join our community on Discord for exclusive content, engaging discussions, and more. Thank you! 🌟