Why would you want to disable root ssh login? Because every Linux server has a root user. A hacker can attempt to brute force your root password if you allow ssh login for the root user. But if you create another user and disable root ssh login, hacker don’t know your username so brute-force attack is useless. The newly-crated user can use sudo or su to do system administration.
This tutorial will show you how to create an user account that can use su or sudo and then how to disable root ssh login on CentOS/Redhat.
Create A New User Account
1. Create an user account using the following command. In this example I will use the username newuser. The adduser command will create the user, initial group and it’s home directory.
2. set a password for the user. You have to type the password twice.
3. Now verify that you can use the new user account to login via ssh. By default, the newly created user can use the su command to switch to root.
[[email protected] ~]$ su - Password: [[email protected] ~]$ whoami root
If for some reason you can’t use su command, then add your user to the wheel group.
usermod -G wheel newuser
4. But it can’t use the sudo command. If you want your user account to use sudo command then execute the following commands as root:
yum install sudo echo 'newuser ALL=(ALL) ALL' >> /etc/sudoers
5. Now verify the user account can use the sudo command.
Disable SSH Login for the root user
Now that you have a seperate user account that can use su or sudo to assume root permissions, it’s time to disable root ssh login. First edit /etc/ssh/sshd_config file with your favorite text editor. I like to use vi editor.
Find the following line:
change it to this:
Save the file. Now it’s very import for you to check that your new user account can login via ssh, because we’re going to restart the ssh service and after that you can no longer login as root through ssh.
systemctl restart ssh
Now only the new user account can login via ssh. If you try to ssh login as root, even though you type the password correctly, you will still get a permission denied error.