By default SSH will allow any valid user account to login to the remote system and that includes root user as well. Though root user is set with strong password, it can only limit its exposure to brute force attacks. But as said it only limits, still a malicious access to root account is possible. So it’s always a best practice to disable root user login via SSH and use non privileged user account for accessing the remote system. Once you gain access to the remote system as non-privileged user, su - can be used to switch to root account. This tutorial will explain how to disable root user login via SSH on CentOS 7.
The steps mentioned in this tutorial requires root access. The example account used is ‘administrator’ which should be replaced with a username of your choice.
Step 1: Login to system as root user. Don’t worry, you will be using root account for remote login only in this step.
Step 2: Create an alternate user account. For example, administrator.
[root@root ~]# adduser administrator
Step 3: Set a strong password for user account created in step 2.
[root@root ~]# passwd administrator
Step 4 : Open another terminal & login to the system as the new user created in step 2. This step will allow you to test if the new account works properly.
Step 5: Test that you can switch to root account.
[administrator@administrator ~]$ su -
Enter root account password and check if you have gained root access.
[root@root ~]# whoami root
Step 6: Disable root user login via SSH.
[root@root ~]# vi /etc/ssh/sshd_config
Step 7: Lookout for '#PermitRootLogin yes'. By default, root login is allowed by SSH.
Step 8 : Change '#PermitRootLogin yes' to 'PermitRootLogin no'
Step 9: Save the file & exit
Step 10: Make sure sshd_config does not have any syntax errors.
[root@root ~]# /usr/sbin/sshd -t [root@root ~]# echo $? 0
The above output suggests, sshd_config does not have any syntax error. In case, if there is an error, you would see non-zero output.
Step 11: Restart SSH to read the new configuration change.
# service sshd restart
Step 12: Make sure root login via SSH is disabled.
ssh root@<ip-address>
The access should be denied in spite of entering valid password for root user. It means, SSH has denied access to the root account.
Step 13: Login as non-privileged user account created in Step 2.
Step 14: When needed, switch to root account as below:
[administrator@administrator ~]$ su -
That’s it! You have successfully disabled root login to remote system via SSH.
The above commands were tested on CentOS 7 and with OpenSSH_6.6.1p1
