Turning off PermitRootLogin in sshd prevents any user to connect

Command Center

3 min read

·

22-10-2024

the ifix

1

0

Share

One common configuration step in securing SSH (Secure Shell) is the adjustment of the PermitRootLogin directive in the sshd_config file. However, an incorrect implementation can lead to unexpected access issues for all users, not just the root account.

The Problem Scenario

Imagine you are a system administrator who needs to enhance the security of your server. You decide to disable root login over SSH to minimize the risk of brute-force attacks. However, after changing the setting, you find that no user can connect to the server at all. Below is the original code you might have used:

# In /etc/ssh/sshd_config
PermitRootLogin no

This seemingly simple change can result in connectivity issues if not executed correctly. In this article, we will explore the implications of disabling PermitRootLogin, common pitfalls, and best practices for secure SSH configuration.

The Implications of Disabling PermitRootLogin

The PermitRootLogin option controls whether the root user is allowed to log in over SSH. When set to no, it prevents root login directly, which is generally a good security practice. However, if not configured correctly, this could lock out all users from the server.

Common Pitfalls

1. No Non-Root User Configuration: If you disable root login but do not have any other non-root user set up or configured properly, you will face connectivity issues. Always ensure there is at least one user with sudo privileges.

2. SSH Key-Based Authentication Misconfiguration: If you're using SSH keys for authentication, ensure the permissions and ownership for the key files are correctly set. Improper configurations can lead to connection refusals.

3. Firewall Rules: Sometimes, firewall settings may inadvertently prevent access. Always check your firewall rules if you experience connectivity issues after modifying sshd_config.

4. Other Configuration Changes: Ensure that other directives in your sshd_config file are not interfering with user logins. For instance, AllowUsers or DenyUsers can restrict access further.

Best Practices for Secure SSH Configuration

To maintain a secure yet accessible server environment, consider the following steps:

• Create a Non-Root User: Prior to disabling root login, create a new user and grant them sudo privileges. This user will act as your primary means of administration.

  # Create a new user
  sudo adduser username
  
  # Add the user to the sudo group
  sudo usermod -aG sudo username
  

• Use SSH Key Authentication: Instead of relying on passwords, configure SSH key-based authentication for enhanced security.

• Test Your Configuration: Before fully committing to configuration changes, use a separate terminal or connection to test accessibility. This ensures you do not lock yourself out.

• Backup Configuration Files: Always make a backup of your sshd_config before making any changes, so you can easily revert back in case of issues.

  # Backup command
  sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
  

• Enable PermitRootLogin for Specific Conditions: If you must allow root login, consider restricting it with conditions such as PermitRootLogin without-password to only allow SSH key-based logins.

Conclusion

Disabling PermitRootLogin is a crucial step in enhancing your server's security posture. However, it must be executed thoughtfully to prevent accidental lockouts of legitimate users. Always ensure you have alternative access methods configured and test your changes thoroughly.

By following these guidelines and best practices, you can maintain a secure and accessible server environment.

Useful Resources

• OpenSSH Official Documentation
• DigitalOcean Tutorial: How To Set Up SSH Keys
• Linuxize: How to Secure SSH on Ubuntu

Implement these practices to ensure both security and accessibility to your servers!