28 Jul 20255 min read

LinuxSSHSecurity

Disable Root SSH Keys Login on Linux

Root is the superuser in a Linux system. It has unrestricted access to everything, every file, every folder, every command. As a regular user, you might see a "permission denied" message. But if you're root, that restriction is gone.

However, with great power comes great responsibility. One wrong move as root and boom, you can break the entire system. Also, if an attacker gains access as root, it's game over. That's why allowing direct root login over SSH is risky. Disabling it is one of the simplest yet most effective ways to enhance your server's security.

In this guide, we’ll walk you through why and how to disable root SSH keys login on Linux ubuntu. You’ll understand the benefits, and the exact steps to implement the change confidently.

Step-by-Step: Disable SSH Root Login

1. Log in as root

Now, open your terminal and run the SSH command, including the root user and your IP address.

ssh root@your-server-ip

2. Create a new user

Once connected, create a new user with sudo privileges if you don't have one yet. Otherwise, you might lock yourself out. Let's create a new user with the adduser command and name it Bob.

adduser bob

Enter its password, retype the password. Next, enter Bob's each information. Or press enter for the default.

3. Add Bob to the sudo group

After that, add Bob to the sudo group. The sudo group is a special user group whose members are allowed to execute commands with root privileges by using the sudo command.

usermod -aG sudo bob

4. Add Bob's public key to the authorized_keys file

This step is crucial. You must add your public SSH key to each user you want to log in as over SSH.

First, for Bob, create the SSH directory where SSH looks for the authorized_keys file that holds allowed public keys.

mkdir -p /home/bob/.ssh

Then, copy the public key from root's SSH config into Bob's SSH directory, allowing you to SSH as Bob using the same key.

cp /root/.ssh/authorized_keys /home/bob/.ssh

SSH requires strict permissions on authorized_keys. The owner can read and write, and no permissions are allowed for anyone else.

chmod 600 /home/bob/.ssh/authorized_keys

Lastly, ensure the file belongs to Bob. If root owns the file, Bob can't read it.

chown bob:bob /home/bob/.ssh/authorized_keys

5. Open the SSH configuration file

In this step, you need to open the SSH configuration file.

sudo nano /etc/ssh/sshd_config

In this file, search for PermitRootLogin and change yes to no. If the line is commented out, uncomment it and set it explicitly to no. After updating the file, Control X, type Y, and press Enter to save.

6. Restart the SSH service

In the last step, restart the SSH service to apply the changes.

sudo systemctl restart sshd

Or on older systems:

sudo service ssh restart

7. Test it

Now, open a new terminal and try logging in as root. You should see a permission denied message.

ssh root@your-server-ip

Then, log in with your new user.

ssh bob@your-server-ip

And you are in. Perfect. You've successfully disabled root login over SSH.

Conclusion

Disabling root login over SSH is a simple yet powerful security step. It enhances your server's security by removing the risk of unauthorized access as root.

Thank you for reading.